Worm.win32.sober.l Alert!


Recommended Posts

Got the following e-mail today:

-- Worm.Win32.Sober.L Alert! ---

A new variant of the Sober worm is spreading fast. As it's predecessors, Sober.L spreads as an email attachment in emails which are sent to all email addresses found on the victim's harddisk. Even if the executable file is packed in a .ZIP file, many users open the file and activate the worm this way. For novice users it's hard to see that it is a worm generated email because the email subject is "your password + accountnumber !". The email body text is the following:

hi,

i've got an admin mail with a Password and Account info!

but the mail recipient are you! it's probably an esmtp error, i think.

i've copied the full mail text in the Windows text-editor & zipped.

ok, cya...

The recipient is advised to open the attached file "Acc_text.zip". The worm also spreads in a German version, which is used on all German email addresses. The German subject is "ich habe ihre e-mail bekommen !". The email body text is:

Hallo,

jemand schickt ihre privaten Mails auf meinem Account.

Ich schaetze mal, das es ein Fehler vom Provider ist.

Insgesamt waren es jetzt schon 6 Mails!

Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.

Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.

Gruss

More details about Sober.L can be found at the a-squared malware database:

http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.L

Protection:

a-squared Free users are advised to run the online update, to be able to remove the worm if the computer becomes infected.

a-squared Personal users are protected, even if they don't have the latest online updates installed. The new IDS technology of the background guard immediately detects and blocks the worm with the behavior analysis if it manages to run.

Your a-squared Team

http://www.emsisoft.com

-----------------------------------

© 2005 Emsi Software GmbH

Faerberstr. 8 - 5110 Oberndorf - Austria

Website: http://www.emsisoft.com

Email can be viewed here: http://www.emsisoft.com/en/support/contact

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...