The Sober worm family is proliferic in email generation and this new variant has been declared as MEDIUM RISK by Secunia, and it is reported to be spreading in the France, Germany, and Australia.
Sober.I Worm - MEDIUM RISK by Secunia
http://secunia.com/virus_information/13463/win32.sober.i/
http://vil.nai.com/vil/content/v_130130.htm
http://www.sarc.com/avcenter/venc/data/w32.sober.i@mm.html
http://www.trendmicro.com/vinfo/virusencyc...me=WORM_SOBER.I
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=40797
http://www.f-secure.com/v-descs/sober_i.shtml
http://www.pandasoftware.com/virus_info/en...4761&sind=0
As of November 11, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in the France, Germany, and Australia.
The message it sends out has the following details:
Subject: (any of the following)
· Confirmation
· Delivery_failure_notice
· Details
· Faulty_mail delivery
· illegal signs in your mail
· invalid mail
· mail delivery system
· Mail delivery_failed
· Mail Error
· Mail_Delivery_failure
· Registration confirmation
· Your mail password
· Your Password
Message body: (any of the following)
· I was surprised, too!
*-*-* Mail_Scanner: No Virus
*-*-* SKYNET- Anti_Virus Service
*-*-* http://www.skynet.be
· Your password was changed successfully!
· Protected message is attached!
· ++++++ User-Service: http://www.<domain>
++++++ MailTo: postmaster <domain>
Message attachment:
FILE NAME
· im_shocked
· oh_nono
FILE EXTENSIONS
*.bat, *.com, *.exe, *.pif, and *.scr