Virus Description - W32.sober.X@mm

Created: 5/12/05

Aliases: W32/Sober.Z@MM [McAfee]

Description

W32.Sober.X@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives.

The 'From' line of the email is spoofed (faked), and its Subject line and message body of the email vary. The attachment name of 'Textfile' with a '.zip' file extension has been seen.

W32.Sober.X@mm arrives in an email with the following characteristics:

The email address of the sender: will be spoofed/falsified/faked/changed to a random name taken from the infected PC - so false alarms will be sent.

Message text: -

Dear Sir/Madam,

we have logged your IP-address on more than 28 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison


++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 477-6110
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Damage

Spreads, clogs email servers, and generates False Alarms.

May reduce security on your PC and start doing 'damage after 5/01/06.

Occurrence

Sober.X has been seen several times on campus - Symatec AntiVirus is recognising it and stopping it.

Advice

Do not read suspicious email. Do not open the attachments with the above names or any unknown attachments. Keep Windows (& Outlook) up-to-date - see Updating Windows. And do not forward warnings to the apparent sender because the apparent sender is NOT the real sender.

Detecting Sober.X

An up-to-date copy of Symantec/Norton AntiVirus should detect and prevent infection from Sober.X. If you do not have Symantec/Norton AntiVirus and you are worried that you may have infected computer, you could run an online virus check or contact the Student Help Desk in the Learning Zone.