From; Sophos Alert System: Name: W32/Sober-M Type: Win32 worm Date: 19 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Sober-M can be found at: http://www.sophos.com/virusinfo/analyses/w32soberm.html W32/Sober-M is a mass-mailing worm. When first run, W32/Sober-M opens Notepad and displays a body of text that starts: UnPack failed W32/Sober-M copies itself to the following location: %WINDOWS%\Config\system\services.exe and creates the following registry entries to ensure it is run at system logon: HKCU\Software\Microsoft\Windows\CurrentVersion\Run _SystemCheck %WINDOWS%\Config\system\services.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemCheck %WINDOWS%\Config\system\services.exe W32/Sober-M creates a base64 encoded ZIP archived copy of itself in the following location: %WINDOWS%\Config\system\zipped.wrm as well as the harmless data file maddys.xyz which can be deleted. W32/Sober-M also creates the following data files: %SYSTEM%\adcmmmmq.hjg %SYSTEM%\langeinf.lin %SYSTEM%\nonrunso.ber %SYSTEM%\xcvfpokd.tqa The email sent by W32/Sober-M depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows: Subject line: FwD: Ich bin's nochmal Message text: Verdammt,,,, ich hatte vergessen Dir meinen Text mitzuschicken. Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren! Ich melde mich. Bis bald ;) Attached file: Private-Texte.zip Email sent to other addresses will have the following characteristics: Subject line: I've_got your EMail on my_account! Message text: Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address. It's probably an e-mail provider error! At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you & zipped then. Make sure, that this mails don't come in my mail-box again. bye Attached file: your_text.zip W32/Sober-M harvests email addresses from files with the following strings in their filenames: pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx W32/Sober-M avoids sending email to addresses that contain any of the following strings: @www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock Download the IDE file from: http://www.sophos.com/downloads/ide/sober-m.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member