Shields Up People, new virus floating about

Shop deals on ebay
Advertise with us
shop deals on amazon
Valve Replacement Forums

Help Support Valve Replacement Forums:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Ross

Ross

Well-known member
Joined
Dec 15, 2001
Messages
25,981
Location
On The Hot Seat
----- Original Message -----
From: "Trend Micro Newsletters Editor" <[email protected]>
Sent: Monday, November 21, 2005 6:11 PM
Subject: Trend Micro Medium Risk Virus Alert - WORM_SOBER.AG


Dear Trend Micro customer,

As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00),
TrendLabs has declared a Medium Risk Virus Alert to control the spread of
WORM_SOBER.AG. TrendLabs has received several infection reports indicating
that this malware is spreading in the USA, Belgium, Canada, Brazil, and New
Zealand.

This memory-resident worm propagates by attaching a copy of itself to an
email message, which it sends to target recipients using its own Simple Mail
Transfer Protocol (SMTP) engine. Since it's email propagation does not
require any user intervention, the user is often unaware that this worm is
sending out email messages.

The email it sends out has the following details:

From: {Email address generated by this worm}

Subject: (any of the following)
. hi,_ive_a_new_mail_address
. Mail delivery failed
. Registration Confirmation
. smtp mail failed
. Spam: Registration Confirmation
. Your Password
. Your IP was logged
. Paris_Hilton_&_Nicole_Richie
. You visit illegal websites

Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not
sure!
plz read and check ...
cyaaaaaaa

---

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached

---

Account and Password Information are attached!
***** Go to: http://www.{random}.com
***** Email: {random}.com

---

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

---

Account and Password Information are attached! ---

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!
Please use our Download manager.


Attachment: (any of the following)
. mailtext.zip
. mail.zip
. reg_pass.zip
. mail.zip
. reg_pass-data.zip
. question_list.zip
. list.zip
. downloadm
. mail_body.zip


The attached .ZIP file contains the copy of this worm using the following
file name:
File-packed_dataInfo.exe

When executed, it displays a fake error message box in order to trick a user
into thinking that the file did not properly execute.

This worm searches the process list of the affected system for mrt.exe, the
Microsoft Windows Malicious Software Removal Tool process. If found, it
terminates the said process thus making the system more vulnerable to
malicious attacks.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy (Beta) - 187 (Released)
Official Pattern Release - 2.957.00 (ETA: 1.5 hrs)
Damage Cleanup Template - 678 (Being created)
Network Virus Wall - 10232 (Being created)


For more information on WORM_SOBER.AG, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyc...e=WORM_SOBER.AG
You can modify subscription settings for Trend Micro newsletters at:
http://www.trendmicro.com/subscriptions/default.asp
______________________________________________________________________
 
Ross

Ross

When I turn on my puter..early..I have at least 10 odd names..just delete them..The ones I see from VR.Com..I delete ..then go to VR.com to read.. I was thinking that I was geting bots..from being on Vr.com..the only forum that I am on...:eek: So, that is the only way they could have found me...I have not been on any other forums for over a year. Yes, you are right..noticing how many guests..early in A.M compared with 1 member this A.M. Me..:D ......they are getting our names..Hate those bots. This is why I will ask that Mary delete my Grandchildren's pictures in a week.Scary to know what these insane people will do. Bonnie
 
I agree Bonnie- just deleted the thread on New York with the pictures of my grandchildren.
 
that's the one I got yesterday and I deleted it immediately. Today I ran Adaware and it found some bad stuff that I deleted. Don't know if it came from that or not. I have been surfing some lately.

Children: I never put the children's pictures anywhere on the net (just in email) because the net is open to everybody! I just think it's unsafe.
 
All this worm needs to do is execute on someone computer you know and it'll get your email address from their address book and start sending email to everyone. Obviously, too many morons are opening this thing. I've gotten a total of 27 of them since yesterday. Many were not even addressed to me, but delivered to me anyhow.

I will personally come to your house and blow your computer up if you don't have the sense to have a good antivirus program installed. There are great free ones such as Avast and AVG, so there is no reason for anyone not to have them.
 
I got the "Your Password" several days ago and immediately deleted it. I repeat what Ross says, have the BEST virus program you can afford (and some are free) and KEEP THEM UPDATED. With my Norton, the FIRST thing I do when I connect is run the "UPDATE" program.

Something just like this recently hit another web site I go to. It got into the listed E-Mail addresses of members and started sending messages that looked like they came from the web site. Be careful out there.

May God Bless,

Danny
 
About anti-virus - they only work for known virus'. Even if you update your definitions if it has not yet been produced by your provider it will not protect you. This virus is just a variant of another virus. Use a browser based email program to help limit your vulnerability.

I believe in education and awareness rather than cleaning after you have it. Everyone should implement some basic strategies and limit your vulnerability. Don't click on unknown links, don't open unknown attachments - even if they have been scanned, and use browser based email. It has kept my home PC's free of bugs and other junk for years. (of course I am also running a checkpoint NG firewall, checkpoint 4.1 and a PIX as well as SNORT on ACID, I love my home lab)
 
Granbonny said:
I will ask that Mary delete my Grandchildren's pictures in a week.Scary to know what these insane people will do. Bonnie
Click to expand...
Dont like the sound of this, how do i delete Curtis pictures off and should i take him off my aviator?
 
Allow me to clear something up about our web bots and guests.

Neither of them are permitted to view forum members Profiles nor can they get your email addresses from crawling the site. So that being that, the only privacy issue is that of which you post. Your fair game if you post in the forum and give out that information.

Thank you!
 
Thanks Ross,
When I went to check my mail yesterday morning, there were 24 messages coming in.
I thought it was going to be a busy day, but 20 of the 24 were all the things you listed.:(
Needless to say I deleted all of them(and always delete anything we don't recognize).
I think some of the worst are those that pretend to be from your ISP provider.
Be careful out there.
 
Norton has finally got a 'catch' for it. I just got one and Norton jumped in and told me it had a virus so I deleted it right off. I have gotten several, including the pw one.
 
Oh Gees this is just what I needed to read...

i got a phone-call from my REAL ISP provider that my puter was sending out SPAM too...

I freaked...
and grabbed every spyware adaware virus thingy program I could find and keep running them all the time now.

wish theyd keep their stupid minds occupied otherwise :mad: .
 
Another One Released fast on the heels of Sober worm!

Another One Released fast on the heels of Sober worm!

As of November 24, 2005 2:34 AM (Pacific Standard Time, GMT -8:00), TrendLabs
has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.MX.
TrendLabs has received several infection reports indicating that this malware is
spreading in Eastern Europe, Japan, India, China, Sweden, France, Spain,
Austria, and Germany.

This memory-resident worm spreads copies of itself as an attachment to email
messages, which it sends to target addresses, using its own Simple Mail Transfer
Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the
said email message even without using other mailing applications, such as
Microsoft Outlook.

The email message that it sends has the following details:

From: (Spoofed)

Subject: (any of the following)
? DETECTED Online User Violation
? Important Notification
? MEMBERS SUPPORT
? Notice Account limitation
? Security Measures
? WARNING MESSAGE YOUR SERVICES NEAR TO BE CLOSED
? You have successfully updated your password
? Your Account is Suspended
? Your Account is Suspended For Security Reasons
? Your password has been successfully updated
? Your Password has been updated

Message Body: (any of the following)
Dear {User Profile} Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your online
experience and confirm the attached document so you will not run into any future
problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your
membership.

Virtually yours,
The {User Profile}, Support Team

===========

Dear user {User Profile},

It has come to our attention that your {User Profile}, ( x ) records are out of
date. For further details see the attached document.

Thank you for using {User Profile}!
The {User Profile} Support Team
+++ Attachment: No Virus (Clean)
+++ "Name" Antivirus - www.{User Profile}.com

===========

Dear user {User Profile},

You have successfully updated the password of your {User Profile} account.

If you did not authorize this change or if you need assistance with your
account, please contact customer service at: register@{User Profile}.com

Thank you for using {User Profile}!
The {User Profile} Support Team
+++ Attachment: No Virus (Clean)
+++ "Name" Antivirus - www. {User Profile}.com

===========

Dear {User Profile} Member,

We have temporarily suspended your email account {User Profile}.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your {User Profile} account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ {User Profile}Antivirus www.{User Profile}

NOTE: {User Profile}, is equal to the computer's Domain User Name

Attachment: (any of the following file names)
? accepted-password
? account-details
? account-info
? account-password
? account-report
? approved-password
? documeng
? email-details
? email-password
? important-details
? new-password
? password
? readme
? updated-password


This worm also propagates via network shares. It searches for available shared
folders within the network and attempts to drop copies of itself into these
shares. It also generates random IP addresses and attempts to drop copies of
itself into the said addresses' default shares. It uses the account details of
the currently logged user to gain access to password-protected shares.

It has backdoor capabilities, which enable a remote malicious user to perform
commands on the affected system, thus compromising system security.

It runs on Windows NT, 2000, and XP.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 189 - released
Official Pattern Release 2.967.00 - released
Damage Cleanup Template 682 - being created
NVW 10233 - being created

For more information on WORM_MYTOB.MX, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.MX
 
Found this good info on how things can appear to come from your ISP, Bank, etc.

# How is header forging possible?

Basically an email is made up of 2 parts: the header and the body. The header is that part that contains all the "meta" information about the email, such as the Subject, the From address, the To address. However this header is generated by the email software itself. You can easily use malicious software to generate a completely false header part of the email, include a false From address, and even rubbish To and Cc addresses.

So if an email has a false To address, how does it actually make it a destination? Well that's part of a separate internet protocol called SMTP. SMTP (Simple Mail Transfer Protocol) is what is used to actually move an email from one machine to another. Part of the protocol includes the real destination address the email is being sent to, and then the actual email, including the entire header and body. Since this underlying transfer address never appears visible to the user, and since SMTP just takes the entire email, header, body and all and moves it to the destination email address, it's possible to send an email with a completely fraudulent header to any address.

So why is this all the case? It's basically to do with the early days of the Internet, where everything was just between a few trusted university computers. No one had a need or reason to forge email headers, because people really did just want to email each other. These days of course, there are lots of people trying to push advertising on you, and they don't want their original address to be identified.

(That was from the FastMail.fm FAQ section)

One thing that most spam messages have in common, even the ones that appear as just images, is random text inserted into the raw message to (they hope) fool spam filters. This text is not normally visible in an email program, but can be viewed by some spam fighting applications such as MailWasher. What bank is going to send you messages with "I'm in the know of... Are you sure? Coca Cola GoTo Loft Story" or "we need to get in 1915 In short. Free Games How are you?" as part of the body - these are two I received today purporting to come from banks:eek:

Watch out, it's a jungle out there...:(
 
You must log in or register to reply here.

Latest posts

Back
Top