virus worm alert : Email-Worm.Win32.Sober.y

[Thierry]

Hi,

An email worm named 'win32.Sober.y' is currently infecting personal
computers thanks to your mail system.
It can also jump to other mailbox thanks to your addressbook
If you have more information about it, please complete the next data bank
http://www.viruslist.com/en/search?VN=Email-Worm.Win32.Sober.y

Hopefully Kaspersky see it immediately and delete it at your request.

A trick: add a rule in your mailing system to delete directly from the host
server all (e-mail address removed) mails
It comes also from local servers and servers located in near countries
([email protected], (e-mail address removed) in my case as I live in Lux.).

Thierry

 

[Gabriele Neukam]

An email worm named 'win32.Sober.y' is currently infecting personal
computers thanks to your mail system.

Thank you for the *fast* information - not! The first alerts were some
days ago, *here*.

And it is already the second verison, which DOESN'T omit addresses with
"spam" inside. As a result, i received ten specimens today. Other
Germans who are running own mailservers, had to reject 21k of them.

Message-ID: <[email protected]>

gives an impression of what is going on.

Until now, Sober was mainly attacking German recipients, preparing
their machines to turn them into mass mailers, especially for a second
wave of pesky rightist hate mails. I wonder, if the author has
"detected" the opportunities of making money with spam zombies...


Gabriele Neukam

(e-mail address removed)

 

[Thierry]

Thank you for the *fast* information - not! The first alerts were some
days ago, *here*.

Well. Hopefully for me. I saw it for the first time yesterday night, hence
this post.
I am following it. It is now detected in fr and be as well but it is always
a sober variant

And it is already the second verison, which DOESN'T omit addresses with
"spam" inside. As a result, i received ten specimens today.

you were spammed, and you call you "spamfighter.. ?"
Install rather a good protection on your system instead of criticize !

Thierry

Other

 

[Robert Baer]

Hi,

An email worm named 'win32.Sober.y' is currently infecting personal
computers thanks to your mail system.
It can also jump to other mailbox thanks to your addressbook
If you have more information about it, please complete the next data bank
http://www.viruslist.com/en/search?VN=Email-Worm.Win32.Sober.y

Hopefully Kaspersky see it immediately and delete it at your request.

A trick: add a rule in your mailing system to delete directly from the host
server all (e-mail address removed) mails
It comes also from local servers and servers located in near countries
([email protected], (e-mail address removed) in my case as I live in Lux.).

Thierry

Modify that warning to *@fbi.gov and *@cia.gov where "*" means
anything, especially ranDUMB characters.
One day i got about 6; normally it is one or 2 at most per week.
The attachment seems to always be a ZIP with an EXE inside, and
Norton does not recognize the payload.

 

[Robert Baer]

Modify that warning to *@fbi.gov and *@cia.gov where "*" means
anything, especially ranDUMB characters.
One day i got about 6; normally it is one or 2 at most per week.
The attachment seems to always be a ZIP with an EXE inside, and Norton
does not recognize the payload.

What is common with the "FBI" and "CIA" emails..
1) Subject seems to always be: Your_IP_was_logged
2) From has variants "post", "office" or "department" then @ then
"fbi.gov" or "cia.gov"
3) In the headers, they are always short and the received from has the
"*@cia.gov" or "*@fbi.gov" where "*" is ranDUMB trash, and the IP varies
widely.
4) The body of the message always is <BODY>

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison



*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000
</body>
5) the attachment is always named "Question_list.zip" and there is only
one item inside, which is always an EXE.
6) NAV does not recognize the payload; "OK" according to them...