| We hope you enjoy your visit. You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free. Join our community! Visit Website If you're already a member please log in to your account to access all of our features: |
| Another Virus Alert. (Parts one and two) | |
|---|---|
| Tweet Topic Started: Nov 23 2005, 07:10 PM (74 Views) | |
| Seoul Survivor | Nov 23 2005, 07:10 PM Post #1 |
|
Thanks Jay!
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
OK, the last one I put up was a sham, But our IT director posted this for us(ALSO see the CNN link at the end for another one!): This is an MX Logic Email Threat Alert Notification. This message has been sent to you due to a possible email threat that could affect your organization. If you have any questions please contact us at +1.720.895.5700. Another Sober Variant Hits the Internet W32/Sober.Z is a mass email worm. MX Logic considers this a HIGH RISK VIRUS due to the high number of instances we are seeing. This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own SMTP engine. Solution/Workaround MX Logic currently provides protection from this worm for customers who subscribe to MX Logic's virus scanning service. We are also blocking this worm at the MTA level for those customers who are not subscribed to this service. This worm is also known by the following aliases: W32.Sober.X@mm Email-Worm.Win32.Sober.y W32/Sober.AH.worm Email-Worm.Win32.Sober.Y WORM_SOBER.AG W32/Sober.Z Technical Description This worm propagates via email using Simple Mail Transfer Protocol (SMTP). The email it sends out contains the following characteristics: Subject: (any one of the following) • hi,_ive_a_new_mail_address • Mail delivery failed • Registration Confirmation • smtp mail failed • Spam: Registration Confirmation • Your Password • Your IP was logged • Paris_Hilton_&_Nicole_Richie • You visit illegal websites The message body will be randomly chosen from several different possibilities which are part of the worm payload. Attachment: (any one of the following) • mailtext.zip • mail.zip • reg_pass.zip • mail.zip • reg_pass-data.zip • question_list.zip • list.zip • downloadm.zip • mail_body.zip The attached .ZIP file contains the copy of W32/Sober.Z using the file name File-packed_dataInfo.exe When executed, W32/Sober.Z displays a fake error message box in order to trick a user into thinking that the file did not properly execute. W32/Sober.Z searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks. For specific information on removing this worm, please visit: http://vil.nai.com/vil/content/v_137072.htm If you are interested in subscribing to MX Logic's virus scanning service, please call MX Logic Sales at +1.877.MXLOGIC (+1.877.695.6442) or email sales@mxlogic.com. #30# And this: http://www.cnn.com/2005/TECH/internet/11/2...m.ap/index.html //Seoul |
![]() |
|
| MinJun | Nov 25 2005, 12:05 PM Post #2 |
|
Advanced Member
![]() ![]() ![]() ![]() ![]() ![]()
|
thanks Vic, this new sober one is really bothering my mailbox these days. to check if you're infected or not you might download the new version (22.11.2005) of the "stinger" tool from mcafee. it's free and needs no installation. Stinger v.2.5.9 http://vil.nai.com/vil/stinger/ stinger is able to detect the following bad guys and their variants: BackDoor-AQJ BackDoor-ALI BackDoor-CEB BackDoor-JZ Bat/Mumu.worm Downloader-DN.a Exploit-DcomRpc Exploit-LSASS Exploit-MS04-011 HideWindow IPCScan IRC/Flood.ap.dr IRC/Flood.bi.dr IRC/Flood.cd NTServiceLoader ProcKill PWS-Narod PWS-Sincom.dll W32/Anig.worm W32/Bagle@MM W32/Blaster.worm (Lovsan) W32/Bropia.worm W32/Bugbear@MM W32/Deborm.worm.gen W32/Doomjuice.worm W32/Dumaru W32/Elkern.cav W32/Fizzer.gen@MM W32/FunLove W32/IRCbot.worm W32/Klez W32/Korgo.worm W32/Lirva W32/Lovgate W32/Mimail W32/MoFei.worm W32/Mumu.b.worm W32/MyDoom W32/Nachi.worm W32/Netsky W32/Nimda W32/Pate W32/Polybot W32/Sasser.worm W32/Sdbot.worm.gen W32/SirCam@MM W32/Sober W32/Sobig W32/SQLSlammer.worm W32/Swen@MM W32/Yaha@MM W32/Zafi W32/Zindos.worm W32/Zotob.worm |
| |
![]() |
|
| BUDDiE | Nov 25 2005, 11:55 PM Post #3 |
![]()
chee -- cina
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
dang, so many alias and other features of this virus - gotta keep good watch out but i never open any attachments and such THANKS FOR THE WARNING!! |
|
--Cina. BUT ORIGINALLY --Chee. | |
![]() |
|
| Seoul Survivor | Nov 26 2005, 06:03 PM Post #4 |
|
Thanks Jay!
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Thanks Minjun!! //Seoul |
![]() |
|
| Angus Mac | Nov 28 2005, 12:55 PM Post #5 |
![]()
Resident Watchdog
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]()
|
Thanks. That explains all the spam I got on Saturday and Sunday. |
| Woof! | |
![]() |
|
| 1 user reading this topic (1 Guest and 0 Anonymous) | |
| « Previous Topic · General Chat · Next Topic » |





![]](http://z1.ifrm.com/static/1/pip_r.png)





10:50 AM Jul 11