-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2005.010 -- AUSCERT ALERT
             New Sober variant email worm currently spreading
                                4 May 2005

===========================================================================

OVERVIEW:
	
	A new variant of the Sober email worm is now spreading rapidly among
	computers running Microsoft Windows. The new worm version is variously 
	known as:

	Sober.N (Computer Associates)
	Sober.P (F-Secure)
	Sober.p@MM (McAfee)
	Sober-N (Sophos)
	Sober.O@mm (Symantec)

	The worm arrives in an email, with Subject lines as described below, 
	and then depends on users opening .zip email attachments to spread. 

	On infection, the worm will:

	1. Display a fake error message window "Error: CRC not complete";
	2. Attempt to disable antivirus updates for some popular products;
	3. Gather email addresses from a wide range of documents found on 
	   the computer;
	4. Use the infected computer to send large amounts of worm carrying
	   email to the new email addresses that were found.


MITIGATION:
	
	Updated antivirus signatures are now available from most vendors, for 
	both email gateway and desktop antivirus products.

	Note however that the worm is able to disable updates and/or hide from 
	several antivirus products if the computer is infected before virus
	signatures have been updated. In this case, checking for the presence 
	of the worm's files as described below is one way to detect whether 
	computers are already infected.

	As always, users should avoid opening any attachments in email messages, 
	unless the email was already expected. Worm and virus emails may 
	often appear to come from people you know.

	Free removal tools for this worm are available from Symantec [1] and
	McAfee [2].


DETAILS:

	The worm emails have Subject lines similar to the following:

	Your Password
	Registration Confirmation
	Your email was blocked
	mailing error
	Ihr Passwort
	Ihre E-Mail wurde verweigert
	Ich bin's, was zum lachen ;)
	Glueckwunsch: Ihr WM Ticket
	WM Ticket Verlosung
	WM-Ticket-Auslosung

	Re: or FwD: may also be added to these Subject lines.

	To allay suspicion, the worm may add text to the email body such as:
	*** AntiVirus: No Virus found
	*** "{recipient's domain} " Anti-Virus
	*** http://www. {recipient's domain} 

	The email will have .zip attachments such as:

	mail_info.zip
	our_secret.zip
	error-mail_info.zip
	account_info.zip
	account_info-text.zip
	LOL.zip
	autoemail-text.zip
	Fifa_Info-Text.zip
	okTicket-info.zip
	free_PassWort-Info.zip

	Inside this .zip is an executable file disguised as a text file.
	The executable file is named 
	Winzipped-Text_Data.txt           .pif
	or Winzipped-Text_Data.txt        .exe

	One way to detect the presence of this worm is to look for the following 
	directory, which it creates: 

	%WinDir%\Connection Wizard\Status\
	(for example on Windows XP by default this is the directory 
	C:\WINDOWS\Connection Wizard\Status\)

	Also noteworthy is that the worm will attempt to connect to a range
	of time servers on TCP port 37.


REFERENCES:
	
	[1] Symantec worm description and removal tool
	    http://www.sarc.com/avcenter/venc/data/w32.sober.o@mm.html

	[2] McAfee worm description and removal tool
	    http://vil.nai.com/vil/content/v_133409.htm
	
	[3] F-Secure worm description
	    http://www.f-secure.com/v-descs/sober_p.shtml

	[4] Computer Associates worm description
	    http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42813

	[5] Sophos worm description
	    http://www.sophos.com/virusinfo/analyses/w32sobern.html


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQnhm9Ch9+71yA2DNAQLDrgQAneXy7ydC9R+Xx9MVREey7kxrmVDsLk64
bXLtR3FT9sUJPYbaKarey7sRC3sASLwFUF18CQUNs3SKl6AhS2rdf3+eTn2RSO4n
0ir+7NnC9JVFZ3BzpXRVesDhLKAc1n6CjtD7eR8dfMmCWYMB2kdgb2mbFGRMciDR
/xNRyQYg2TA=
=OXfE
-----END PGP SIGNATURE-----