MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

What is a computer virus?

Alert: Computer Virus Outbreaks

AVG Alternative Update URL

AVG Anti-Virus 7 FE

AVG Anti-Virus 7.5

AVG Email Server Edition

AVG File Server Edition

How to - Avoid Getting Infected

How to - Disabling System Restore

How to - Put Windows in Safe Mode

MAC OS X Anti-Virus

Removal of Trojan

Removing File Locked by OS

Stop the virus Ping-Pong

The real thing !

Viruses: Email-borne

Viruses: On-line Scanners
Home » Virus Protection » Alert: Computer Virus Outbreaks » 

Sober Virus

The worm sends e-mail messages with German and English texts. When sending a message to an e-mail address, that has domain suffix DE, CH, AT, LI, NL or BE as well as the e-mail address contains '@GMX' substring, the worm uses German text strings, otherwise it composes a message in English.

Here's how the English e-mail sent by the worm looks like:

Subject:

Microsoft Alert: Please Read!

Body:

New MyDoom Virus Variant Detected!


A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through
the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains
the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.


Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.



+++ c2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19

Here's how the German e-mail sent by the worm looks like:

Subject:

Microsoft Alarm: Bitte Lesen!

Body:

Neue Virus-Variante W32.Mydoom verbreitet sich schnell.


Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorganger verschickt sich der Wurm von infizierten Windows-
Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner!
Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des
W32.Mydoom alias W32.Novarg.


Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schadling
zu schutzen!



+++ c2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

The sender's address is faked. The sender's name can be one of the following:


Info
Center
UpDate
News
Help
Studio
Alert
Patch
Security

The domain of the sender's name always has '@microsoft' string followed by '.DE' or '.AT' suffixes for German messages and by '.COM' suffix for English messages.

The worm sends itself as an attachment with EXE extension or inside a ZIP archive. The attachment name varies and can contain one of the following:


Patch
MS-Security
MS-UD
UpDate
sys-patch

Additionally the attachment name can contain random numbers.

The worm avoids sending messages to e-mail addresses containing one of the following:


abuse
winrar
domain.
host.
viren
bitdefender
spybot
hotmail
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@arin
mozilla
@iana
@avp
@msn.
microsoft.
@sophos
@panda
symant
ntp-
ntp@
@ntp.
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai
@messagelab
clock
info@
t-online

New Sober CIA Virus

Sober.N!Zip Worm

Sober.Z Virus


commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.