Mass mailing Worm

[Mobo]

WORM_SOBER.I
As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is spreading via email in Germany, France, and Austria. Users are advised to be wary of email messages containing the following message body:

*-*-* Mail_Scanner: No Virus
*-*-* SKYNET- Anti_Virus Service
*-*-* http://www.skynet.be

It sends similar content in German to email addresses in Germany, Austria, Liechtenstein, Switzerland, and other areas (it checks target addresses for country-level domains):

*-*-* X-MS_Scanner: Kein Virus erkannt
*-*-* Attachment-Scanner: NO VIRUS
*-*-* Anti_Virus: Es wurde kein Virus gefunden

For additional information on the email that this worm sends out, please refer to the Technical Details section.

Users should note that the worm messages are spoofed and may appear to be sent by a familiar source.

Network administors who would like to block email messages associated with this worm can check for more email details in the Technical Details section. This worm may cause some increase in network traffic. Distribution, however, may not necessarily be localized, and the worm may not severely affect corporate mail servers since it obtains email targets from files instead of the global address book.

This worm arrives as an email attachment that executes and infects upon manual execution.

A good visual clue to spot this worm is the fake WinZip message box that it displays:


This message box is likely designed to tricked into thinking that the worm file is damaged and does not actually run. In contrast, this worm will have likely infected systems on which the message box has been displayed, especially machines with no antivirus protection.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.