Subject: Trend Micro Medium Risk Virus Alert - WORM_SOBER.AG > > Dear Trend Micro customer, > > As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT > -8:00), TrendLabs has declared a Medium Risk Virus Alert to control > the spread of WORM_SOBER.AG. TrendLabs has received several infection > reports indicating that this malware is spreading in the USA, Belgium, > Canada, Brazil, and New Zealand. > > This memory-resident worm propagates by attaching a copy of itself to > an email message, which it sends to target recipients using its own > Simple Mail Transfer Protocol (SMTP) engine. Since it's email > propagation does not require any user intervention, the user is often > unaware that this worm is sending out email messages. > > The email it sends out has the following details: > > From: {Email address generated by this worm} > > Subject: (any of the following) > • hi,_ive_a_new_mail_address > • Mail delivery failed > • Registration Confirmation > • smtp mail failed > • Spam: Registration Confirmation > • Your Password > • Your IP was logged > • Paris_Hilton_&_Nicole_Richie > • You visit illegal websites > > Message body: (any of the following) > hey its me, my old address dont work at time. i dont know why?! > in the last days ive got some mails. i' think thaz your mails but im > not sure! > plz read and check ... > cyaaaaaaa > > --- > > This is an automatically generated Delivery Status Notification. > > SMTP_Error [] > I'm afraid I wasn't able to deliver your message. > This is a permanent error; I've given up. Sorry it didn't work out. > The full mail-text and header is attached > > --- > > Account and Password Information are attached! > ***** Go to: http://www.{random}.com > ***** Email: {random}.com > > --- > > Dear Sir/Madam, > > we have logged your IP-address on more than 30 illegal Websites. > Important: > Please answer our questions! > The list of questions are attached. > > Yours faithfully, > Steven Allison > > *** Federal Bureau of Investigation -FBI- > *** 935 Pennsylvania Avenue, NW, Room 3220 > *** Washington, DC 20535 > *** phone: (202) 324-3000 > > --- > > Account and Password Information are attached! --- > > The Simple Life: > View Paris Hilton & Nicole Richie video clips , pictures & more > Download is free until Jan, 2006! > Please use our Download manager. > > > Attachment: (any of the following) > • mailtext.zip > • mail.zip > • reg_pass.zip > • mail.zip > • reg_pass-data.zip > • question_list.zip > • list.zip > • downloadm > • mail_body.zip > > > The attached .ZIP file contains the copy of this worm using the > following file name: > File-packed_dataInfo.exe > > When executed, it displays a fake error message box in order to trick > a user into thinking that the file did not properly execute. > > This worm searches the process list of the affected system for > mrt.exe, the Microsoft Windows Malicious Software Removal Tool > process. If found, it terminates the said process thus making the > system more vulnerable to malicious attacks. > > > TrendLabs will be releasing the following EPS deliverables: > > TMCM Outbreak Prevention Policy (Beta) - 187 (Released) Official > Pattern Release - 2.957.00 (ETA: 1.5 hrs) Damage Cleanup Template - > 678 (Being created) Network Virus Wall - 10232 (Being created) > > > For more information on WORM_SOBER.AG, you can visit our Web site at: > http://www.trendmicro.com/vinfo/virusencyc...e=WORM_SOBER.AG