Virus alert!-I-Worm.Sober.i

Symantec: W32.Sober.I@mm

Category: 3 {which caused a liveupdate early this morning, by my Pacific Standard Time}.

W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer.

The subject of the email varies and will be in either English or German. The email sender address is spoofed.

The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension.

This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.

Note: Live Update definitions with sequence number 38560 or greater will detect this threat.

Also Known As: WORM_SOBER.I [Trend], W32/Sober-I [Sophos], W32/Sober.j@MM [McAfee], Sobor.I [Panda]
Type: Worm
Infection Length: 56808 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Technical Details: http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html#technicaldetails

 

Panda: Sober.I
F-Secure: Sober.I
Sophos: W32/Sober-I
Trend: WORM_SOBER.I
McAfee: W32/Sober.j@MM
Norman: W32/Sober.I@mm
BitDefender: Win32.Sober.I@mm
Kaspersky: I-Worm.Sober.i
VSAntivirus: W32/Sober.I
F-Prot: W32/Sober.J@mm
Computer Associates: Win32.Sober.I

 

Trend Micro Medium Risk Virus Alert - WORM_SOBER.I

Dear Trend Micro customer,

As of November 19, 2004 (GMT -8:00 Pacific Standard Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.I. TrendLabs has received numerous infection reports indicating that this malware is spreading in France, Germany, and Australia.

This mass-mailing worm arrives on a system as an email message that has German content. It propagates by sending copies of itself to certain email addresses, which it gathers from files on the system with specific extension names. However, it also avoids sending email messages to certain email addresses with certain strings. It also drops several files in the Windows system folder and creates registry entries to enable itself to run automatically at every system startup.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 134
Official Pattern Release 2.255.00
Damage Cleanup Template 457

For more information on WORM_SOBER.I, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.I

 

Panda Software reports the appearance of Sober.I

- Panda Software reports the appearance of Sober.I -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

MADRID, November 19, 2004 - PandaLabs has detected the appearance of a new worm called Sober.I. This malicious code is designed to spread rapidly via email in a message that can be written in English or German. According to data gathered by Panda Software's international tech support network, Sober.I is starting to spread across German-speaking countries, such as Germany and Austria, causing incidents in users' computers.

The messages carrying Sober.I have extremely variable characteristics, as the subject, message body and name of the attachment are all selected at random. If the user runs the file containing Sober.I, it creates a large number of files on the computer, such as clsobern.isc and nonzipsr.noz, which are copies of the worm, or logsys.exe and syssmss32.exe, which are files used by the worm to carry out its actions.

When it has been run, Sober.I looks for email addresses on the affected computer, which it then sends itself out to using its own SMTP engine. If the domain of the email address belongs to Switzerland (.ch), Germany (.de), Austria (.at) or Liechtenstein (.li), the worm inserts German texts in the email message. If the domain is any other than those mentioned above the email will be sent in English.

Finally, Sober.I inserts several entries in the Windows Registry in order to ensure that it is run whenever the computer is started.

Due to the high possibility of being infected by Sober.I, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

In addition, users can scan their computers online for free with the Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about Sober.I visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

 

Already had e-mail with this worm!
Picked up by NAV and AVG.
AVG showed a number of .tmp files with the virus, all different extensions and was not able to Heal, Move to vault, or Delete.
Is this a function of running the two AVs in parallell?

 

I've got them flooding in through my junk mail folder in Hotmail

 

Warning! Worm.Win32.Sober.I!

The latest version of the Sober worm is spreading fast. As with it's predecessors, Sober.I spreads by email attachments. The email text suggests that it is an error message from the mailserver and the undelivery report is attached.

Current email clients like Outlook or Outlook Express are able to block harmful file extensions like EXE, COM or SCR, but Sober.I sometimes comes packed in a ZIP file to bypass outlook security. The ZIP file itself is not harmful, but the content inside (an executable file with variable file name) contains the worm and must not be opened!

A more detailed description of the worm can be found at the a² Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.I

 

I've been receiving lots and tons of JUNK e-mail containing attachments. I reported all the junk e-mail and deleted them immediately.