W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension. This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.
From: (Spoofed) It can be an email address found on the infected computer or may be in the form of [fake sender name]@[recipient's domain], where fake sender name is one of the following:
Info
FehlerMail
Webmaster
ReMailer
Lisa
Peter
Michael
Thomas
Elke
Susi
Nadine
Benutzer-Daten
Information
Service
Hilfe
Webmaster
Hostmaster
Postmaster
User-Info
Subject: (May be one of the following with FwD: as prefix)
hi there
hey dude!
wazzup!!!
yeah dude
Details
Oh God it's
d**m!
#
Registration confirmation
Confirmation
Your Password
Your mail account
Delivery failure notice
Faulty mail delivery
Mail delivery failed
Mailing Error
Illegal signs in E-Mail
Invalid mail length
Mail Delivery failure
mail delivery status
Warning!
error in dbase
DBase Error
ups, i've got your mail
Sorry, that's your mail
why do you do that?
Life's a b***h
Smiling Like a Killer
lol,wat'nlosey?
Informationvon
FalscheMailzustellung
FehlerinIhrerE-Mail
IhreE-Mailwarfehlerhaft
ESMTPError
UngültigeVariableninihrerE-Mail
Verbindungwurdegetrennt
Mail_Fehler
IhrneuerAccount
NeueAccountDaten
Siehabennichtgezahlt
Rechnung
Hi,seivorsichtig!
Achtung!gefährlicherVirus!
Schongehört?
DieTools!
DeinZeug's!
Hierfürdich^^
BestellungsBestätigung
Lieferungs-Bestätigung
Ok,hieristmein
Ichhabemichindichv
Body: (May be composed of some of the following text)
++++ User-Service: http://www. domain>
++++ MailTo: postmaster@<sender's domain>
Your password was changed successfully.
Protected message is attached.
This account_hast_been_disabled.
_failed_after_I_sent_the_message.
New WORM!!! Everyone Read this! W32.Sober.I.@mm
6 posts •
Page 1 of 1
New WORM!!! Everyone Read this! W32.Sober.I.@mm
Just got this today. If you get something like this, delete it!
My Websites:
http://www.flactem.com/
My Final Fantasy VII Walkthrough (FF7 Walkthrough)
My Final Fantasy VIII Walkthrough (FF8 Walkthrough)
My Final Fantasy IX Walkthrough (FF9 Walkthrough)
My Final Fantasy X Walkthrough (FFX Walkthrough)
Join MOES today - Plant a SIG for your tomorrow!
Follow me on Twitter! http://twitter.com/caamithrandir
http://www.flactem.com/
My Final Fantasy VII Walkthrough (FF7 Walkthrough)
My Final Fantasy VIII Walkthrough (FF8 Walkthrough)
My Final Fantasy IX Walkthrough (FF9 Walkthrough)
My Final Fantasy X Walkthrough (FFX Walkthrough)
Join MOES today - Plant a SIG for your tomorrow!
Follow me on Twitter! http://twitter.com/caamithrandir
-
Mithrandir - Posts: 11071
- Joined: Fri Jun 27, 2003 12:00 pm
- Location: You will be baked. And then there will be cake.
good thing I delete about 99.9% of my emails. It it's bigger than 10kbs, in the trash you go 
"A merry heart doeth good like a medicine.." Prov 17:22
The word 'impossible' isn't in my dictionary... but I don't really have a dictionary you know? - Eikichi Onizuka.
Sorry, but I stop being a teacher at 5 o'clock. - Eikichi Onizuka.
The word 'impossible' isn't in my dictionary... but I don't really have a dictionary you know? - Eikichi Onizuka.
Sorry, but I stop being a teacher at 5 o'clock. - Eikichi Onizuka.
-
agasfas - Posts: 2341
- Joined: Sat Aug 21, 2004 7:27 pm
- Location: Austin, TX
This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.
That's the part I find most interesting. That tells me that someone using Windows 95/98 that doesn't have the Visual Basic runtime installed may be safe from the worm -- unless the worm somehow has a way of installing the runtime first before doing its thing. (I think that Windows ME/XP come with it already installed, though.)
Edit: I had version 6 in mind, but I never thought until now that it could be another version (earlier or later).
[color=RoyalBlue]@)}~`,~ [/color]Carry this rose in your signature as thanks to Inkhana, for all she has done for us in the past.Even though she is no longer a moderator, she has done an awful lot for us while she was and she deserves thanks. ^_^
- TheMelodyMaker
- Posts: 1904
- Joined: Sun Jul 20, 2003 10:13 pm
I've been out of the windows programming loop too long. My last major app was for 98 (an ai game).
It must be said, though, that anyone with a sufficiently out-of-date computer never has to worry about ANY viruses.
It must be said, though, that anyone with a sufficiently out-of-date computer never has to worry about ANY viruses.
My Websites:
http://www.flactem.com/
My Final Fantasy VII Walkthrough (FF7 Walkthrough)
My Final Fantasy VIII Walkthrough (FF8 Walkthrough)
My Final Fantasy IX Walkthrough (FF9 Walkthrough)
My Final Fantasy X Walkthrough (FFX Walkthrough)
Join MOES today - Plant a SIG for your tomorrow!
Follow me on Twitter! http://twitter.com/caamithrandir
http://www.flactem.com/
My Final Fantasy VII Walkthrough (FF7 Walkthrough)
My Final Fantasy VIII Walkthrough (FF8 Walkthrough)
My Final Fantasy IX Walkthrough (FF9 Walkthrough)
My Final Fantasy X Walkthrough (FFX Walkthrough)
Join MOES today - Plant a SIG for your tomorrow!
Follow me on Twitter! http://twitter.com/caamithrandir
-
Mithrandir - Posts: 11071
- Joined: Fri Jun 27, 2003 12:00 pm
- Location: You will be baked. And then there will be cake.
6 posts •
Page 1 of 1
Who is online
Users browsing this forum: No registered users and 169 guests