New SOBER variant In-the-wild!

[mboeh]

TrendLabs has received several reports regarding this new SOBER variant that is currently spreading in Germany and the United States.

This worm spreads by mass-mailing copies of itself to target recipients. Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.

Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.

TrendLabs is working to provide a more in depth analysis of this malware. Details will be posted shortly.
 

 
Beschreibung erstellt: 2005-05-02
Beschreibung aktualisiert: 2005-05-02

http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?VName=WORM_SOBER.S

[mboeh]

(FROM): %spoofed% 

SUBJECT:
 
 Re: Your Password
 
 Re: Registration Confirmation
 
 Re: Your email was blocked
 
 Re: mailing error
 
 FwD: Ihr Passwort
 
 FwD: Ihre E-Mail wurde verweigert
 
 FwD: Ich bin's, was zum lachen
 
 FwD: Glueckwunsch: Ihr WM Ticket
 
 FwD: WM Ticket Verlosung
 
 FwD: WM-Ticket-Auslosung 

 

BODY:

 
 Account and Password Information are attached!
Visit: http://www..com
 
 This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
Attachment-Scanner: Status OK,AntiVirus: 
No Virus found,Server- AntiVirus: No Virus (Clean)
 
 Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
 
 *-* http://www.
*-* MailTo: PasswordHelp@
 
 **** AntiVirus: Kein Virus gefunden
**** "GMX" AntiVirus Service
**** WebSite: http://www.gmx.de
 
 *** AntiVirus: No Virus found
*** "HBEDV" Anti-Virus
*** http://www.hbedv.com 

 
(ATTACHMENT: 

 
 mail_info.zip
 
 our_secret.zip 
 
 Fifa_Info-Text.zip 
 
 okTicket-info.zip 
 
 free_PassWort-Info.zip
 
 Winzipped-Text_Data.txt.exe
 
 Winzipped-Text_Data.txt.pif 


http://www.antivir.de/de/vireninfos/index.html

http://de.mcafee.com/virusInfo/default.asp?id=description&virus_k=133409

[DavidR]

I think the major thing here is not to panic and exercise safe hex, i.e.. don't go opening email attachments from unknown sources and even then unexpected emails with attachments.

[Woodgnome]

 
Doing it's rounds in New Zealand. Received 3 in 1 hour so far.
Don't open or Run the attached EXE file in the Zipped File.
Zipped file name:= our_secret.zip
Attached File:= winzipped-text_data . txt . exe