copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » AA-2005.0029 -- Increased activity of Sober email wo...
 

AA-2005.0029 -- Increased activity of Sober email worm variant including faked FBI and CIA emails
Date: 24 November 2005

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2005.0029                  AUSCERT Advisory

         Increased activity of Sober email worm variant including
                         faked FBI and CIA emails
                             24 November 2005
- ---------------------------------------------------------------------------

OVERVIEW:

	A variant of the Sober email worm is currently spreading rapidly 
	through English and German language emails. This worm arrives in 
	emails with subject lines as described below.

	The emails may be spoofed to appear to be a warning email from the 
	FBI or CIA.
	
	Sober depends on users opening the .zip attachment and running the 
	file inside in order to spread.


MITIGATION:

	The current Sober worm variant is already detected by most 
	antivirus products with up-to-date signatures.

	Email users should be aware of the following points:

	o The "From" address in emails is easily forged.

	o Viruses, worms and other malicious emails may often appear to 
	  come from people you know.

	o As always, users should avoid opening any attachments or 
	  clicking on links within emails unless the email was already 
	  expected beforehand.
	
	Free removal tools for this worm are available.[4][5]


DETAILS:

	The worm arrives in emails with the following Subject lines:

	You visit illegal websites
	Paris Hilton & Nicole Richie
	Your IP was logged
	Registration Confirmation
	hi, ive a new mail address
	Your Password
	Registration Confirmation
	smtp mail failed
	Mail delivery failed
	Ihr Passwort
	Account Information
	SMTP Mail gescheitert
	Mailzustellung wurde unterbrochen
	Ermittlungsverfahren wurde eingeleitet
	Sie besitzen Raubkopien
	RTL: Wer wird Millionaer
	Sehr geehrter Ebay-Kunde
	
	When the user opens the attached .zip file and runs the executable
	file inside, the worm takes the following actions:

	1. Displays a fake error message "Error in packed Header".

	2. Disables various antivirus and security products and turns off 
	   the Windows XP firewall. At this point the worm may display a 
	   second message box: "No Viruses, Trojans or Spyware found! 
	   Status: OK"

	3. Contacts time servers to synchronise time of day.

	4. Gathers email addresses from a wide range of documents found on 
	   the local computer.

	5. Uses these addresses to send further infected emails to new 
	   victims using its own built-in SMTP code.

	6. The worm may open a backdoor on the system allowing attackers to 
	   send instructions, download and execute further malicious files 
	   on the infected computer.


REFERENCES:

	[1] US-CERT Current Activity
	    http://www.us-cert.gov/current/current_activity.html#sobergen

	[2] F-Secure virus descriptions Sober.Y
	    http://www.f-secure.com/v-descs/sober_y.shtml

	[3] Kaspersky Lab virus description Email-Worm.Win32.Sober.y
	    http://www.viruslist.com/en/viruses/encyclopedia?virusid=99827

	[4] Symantec removal tool
	    http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html

	[5] McAfee removal tool
	    http://vil.nai.com/vil/stinger/


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ4UmIyh9+71yA2DNAQIrcAP/Tnf/F3QYubOksgJZdP8AIli0Q9pxBSYC
7RNiqIqkDDAh/GEzp+iJEJlzNqzaUfNFpCELEMcuHOkrJqoM35FJxFveJ7rXD1Fc
jXbktT6x5wsuF8A+pj3D3butnjR/i0Vhz3y44qFNmJU9K5CDPdBi0VSfvv7YtKTK
stvXxAxcajs=
=cV34
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=5779