From; Sophos Alert System: Name: W32/Sober-L Type: Win32 worm Date: 7 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Sophos has received several reports of this worm from the wild. Information about W32/Sober-L can be found at: http://www.sophos.com/virusinfo/analyses/w32soberl.html W32/Sober-L is a mass-mailing worm which sends itself to addresses harvested from the infected computer. When first run, W32/Sober-L will open Notepad and display a body of text that starts: Mail-Text: Unzip failed W32/Sober-L will copy itself to a subfolder of the Windows folder named \MSAGENT\SYSTEM with the filename SMSS.EXE. In order to run automatically each time a user logs on, W32/Sober-L will continually set the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run " Services.dll" <Windows folder>\msagent\system\smss.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run _Services.dll <Windows folder>\msagent\system\smss.exe W32/Sober-L also creates the following data files: \msagent\win32\emdata.mmx \msagent\win32\zipzip.zab \read.me \nonrunso.ber \stopruns.zhz \xcvfpokd.tqa The READ.ME file contains the following text: test test test In diesem Sinne: Odin alias Anon W32/Sober-L will attempt to terminate processes with names containing the following strings: gcas, gcip, giantanti, stinger, hijackthis W32/Sober-L harvests email addresses from files with the following strings in their filenames: pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx W32/Sober-L avoids sending email to addresses that contain any of the following strings: ntp- ntp@ ntp. test@ office @www @from. support smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel password noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol time postmas service freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux google @foo. winzip @example. bellcore. @arin mozilla @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock The email sent by W32/Sober-L depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows: Subject line: Ich habe Ihre E-Mail bekommen! Message text: Hallo, jemand schickt ihre privaten Mails auf meinem Account. Ich schaetze mal, das es ein Fehler vom Provider ist. Insgesamt waren es jetzt schon 6 Mails! Ich habe alle Mail-Texte im Texteditor kopiert und gezippt. Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese Dinger nicht mehr auf meinem Account landen, es Nervt naemlich. Gruss Attached file: MailTexte.zip Email sent to other addresses will have the following characteristics: Subject line: Your Password & Account number Message text: hi, i've got an admin mail with a Password and Account info! but the mail recipient are you! it's probably an esmtp error, i think. i've copied the full mail text in the Windows text-editor & zipped. ok, cya... Attached file: acc_text.zip The ZIP file will contain an executable file named mail_text-data.txt.pif The From address line will be faked. This IDE file also includes detection for: W32/Sober-Gen http://www.sophos.com/virusinfo/analyses/w32sobergen.html Download the IDE file from: http://www.sophos.com/downloads/ide/sober-l.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member