Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Sober.f@MM

04/06/04 - W32/Sober.f@MM

The virus is received in an email message with the following characteristics:

Subject: (one of the following)

Bad Gateway
Best
Confirmation Required
Connection failed
damn!
Datenbank-Fehler
Details
Einzelheiten
Faulty mail delivery
Fehler
Fehler in E-Mail
Fehlerhafte Mailzustellung
Hallo Du!
Hallo!
Hey
Hey Du
hey you
Hi!
Hi, Ich bin's
Hi, it's me
Ich bin es .-)
Ihr neues Passwort
Ihr Passwort
Illegal signs in Mail-Routing
Illegale Zeichen in Mail-Routing
Info
Information
Invalid mail sentence length
Mail delivery failed
Mail Delivery failure
mail delivery status
Mail Error
Mailzustellung fehlgeschlagen
Message Error
Na,
Oh my God
Registrierungs-Best
Ung
Verbindung fehlgeschlagen
Verdammt
Warning!
Warnung!
Well, surprise?!
Your document
Your mail account
Your mail-account
Your password
Body: (one of the following)

Ich war auch ein wenig
Wer konnte so etwas ahnen!? Lese selbst
Oh-Mann
Alles klaro bei dir?
Schau mal was Ich gefunden habe!
Meinst Du das wirklich?
Dokument
KurzText
Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
Bye
AntiVirus-Text
Anleitung
Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passw
Passwoerter.txt
Details entnehmen Sie bitte dem Attachment
Dokumente
Text-Inhalt
*** Auto Mail Delivery System ***
Ihre E-Mail konnte nicht gesendet oder empfangen werden.
Bitte
attach:
AMD-System.txt
* End Transmission
--- Web: http://www.(domain name)
--- Mail To: User-Hilfe
Passwort und Benutzername wurde erfolgreich ge
Ihre Benutzernamen und Passw
++++ Im www erreichbar unter: http://www.(domain name)
++++ E-Mail: KundenInfo
Benutzer-Daten
Wegen eines Datenbank- Fehlers k
Wenn Sie Unregelm
Vielen Dank f
+++ Ein Service von
+++ http://www .(domain name)
+++ E-Mail: Kundenservice
Internet Provider Abuse:
Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
Bitte beachten Sie folgende Liste:
Liste
Schwarze-Liste
***
Mail- Anhang: Keine verd
Mail Scanner: Kein Virus gefunden
Anti- Virus: Es wurde kein Virus erkannt
Virenschutz
*** http://www.(domain name)
I was surprised, too! :-(
Who could suspect something like that?
shock
All OK :)
see, what i've found!
hi its me
i've found a shity virus on my pc. check your pc, too!
follow the steps in this article.
bye
I 've told you!:-) sometime I grab your passwords!
your_passwords
I hope you accept the result!
Follow the instructions to read the message.
Please read the document
Your password was changed successfully.
Protected message is attached.
++++ Service: http://www.(domain name)
++++ Mail To: User-info
67.28.114.32_failed_after_I_sent_the_message./
Remote_host_said:_554_delivery_error:_dd_
Sorry_your_message_cannot_be_delivered._
This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission
The original message is a separate attachment.
--- Mail To: UserHelp
Error_Info
_attach
Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of
+++ Mail: home
Database #Error
-- Partial message is available!
-- Error: llegal signs in Mail-Routing
-- Mail Server: ESMTP VX32.9 Version Betha Alpha
Mail- Attachment: No suspicious Virus signatures
Mail Scanner: No Virus found
Anti-Virus: No Virus!
The attachment is either a .PIF (30,720 bytes) or a .ZIP (30,866 bytes) file and contain one of these names (note the filename may be preceeded by random numbers and proceeded by _attach ).

Administrator
AMD-System.txt
anitv_text
AntiVirus-Text
attach-message
AutoMailer
Benutzer-Daten
block-lists
check_this
corrected_text-file
database_partial
database
Datenbank_Auszug
dokument
Error_Info
error
error-message
Fehler-Info
help
instructions
kurztext
message
Money-Help
partial
pass-message
pmessage-text
RobotMailer
Schwarze-Liste
textdocument
Text-Inhalt
User-info
webmaster
your_article
your_passwords
The recipient email addresses are harvested from the local system. The worm searches for addresses within files having one of these file extensions:

abc
abd
abx
adb
ade
adp
adr
asp
bas
cfg
cgi
cls
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
ods
oft
php
pl
pp
ppt
pst
rtf
shtml
sln
tbb
txt
uin
vap
vbs
wab
wsh
xls
xml
The viruses does not send itself to addresses containing the following strings:

mailer-daemon
office
redaktion
support
variabel
password
time
postmas
service
freeav/
@ca.
abuse
winrar
domain.
host.
viren
ewido.
emsisoft
linux
google
@foo.
winzip
@arin
mozilla
@iana
@avp
@msn
microsoft.
@sophos
@panda
symant
ntp-
ntp@
@ntp.
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
clock
yahoo.com
yahoo.de
gmx.de
gmx.net
web.de
freenet.de
lycos.de

More info on this worm:
http://vil.nai.com/vil/content/v_101154.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101154.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top