Date: 24 November 2005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2005.0029 AUSCERT Advisory
Increased activity of Sober email worm variant including
faked FBI and CIA emails
24 November 2005
- ---------------------------------------------------------------------------
OVERVIEW:
A variant of the Sober email worm is currently spreading rapidly
through English and German language emails. This worm arrives in
emails with subject lines as described below.
The emails may be spoofed to appear to be a warning email from the
FBI or CIA.
Sober depends on users opening the .zip attachment and running the
file inside in order to spread.
MITIGATION:
The current Sober worm variant is already detected by most
antivirus products with up-to-date signatures.
Email users should be aware of the following points:
o The "From" address in emails is easily forged.
o Viruses, worms and other malicious emails may often appear to
come from people you know.
o As always, users should avoid opening any attachments or
clicking on links within emails unless the email was already
expected beforehand.
Free removal tools for this worm are available.[4][5]
DETAILS:
The worm arrives in emails with the following Subject lines:
You visit illegal websites
Paris Hilton & Nicole Richie
Your IP was logged
Registration Confirmation
hi, ive a new mail address
Your Password
Registration Confirmation
smtp mail failed
Mail delivery failed
Ihr Passwort
Account Information
SMTP Mail gescheitert
Mailzustellung wurde unterbrochen
Ermittlungsverfahren wurde eingeleitet
Sie besitzen Raubkopien
RTL: Wer wird Millionaer
Sehr geehrter Ebay-Kunde
When the user opens the attached .zip file and runs the executable
file inside, the worm takes the following actions:
1. Displays a fake error message "Error in packed Header".
2. Disables various antivirus and security products and turns off
the Windows XP firewall. At this point the worm may display a
second message box: "No Viruses, Trojans or Spyware found!
Status: OK"
3. Contacts time servers to synchronise time of day.
4. Gathers email addresses from a wide range of documents found on
the local computer.
5. Uses these addresses to send further infected emails to new
victims using its own built-in SMTP code.
6. The worm may open a backdoor on the system allowing attackers to
send instructions, download and execute further malicious files
on the infected computer.
REFERENCES:
[1] US-CERT Current Activity
http://www.us-cert.gov/current/current_activity.html#sobergen
[2] F-Secure virus descriptions Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml
[3] Kaspersky Lab virus description Email-Worm.Win32.Sober.y
http://www.viruslist.com/en/viruses/encyclopedia?virusid=99827
[4] Symantec removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html
[5] McAfee removal tool
http://vil.nai.com/vil/stinger/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ4UmIyh9+71yA2DNAQIrcAP/Tnf/F3QYubOksgJZdP8AIli0Q9pxBSYC
7RNiqIqkDDAh/GEzp+iJEJlzNqzaUfNFpCELEMcuHOkrJqoM35FJxFveJ7rXD1Fc
jXbktT6x5wsuF8A+pj3D3butnjR/i0Vhz3y44qFNmJU9K5CDPdBi0VSfvv7YtKTK
stvXxAxcajs=
=cV34
-----END PGP SIGNATURE-----
|