W32/Sober.j@MM Last Updated 11/19/04 11:00AM

CIT has been notified of a new email virus called W32/Sober.j@MM. W32/Sober.j@MM are detected in email attachments as W32/Sober.j@MM. W32/Sober.j@MM is a self contained SMTP mass-mailing worm that harvests email address from infected systems. The email will appear either in English or German. When a user doubleclicks on a infected attachment, the worm displays a fake error message.

WinZip_Data_Module is missing~Error:{2A0DCCF6}

The email will appear either in English or German. From: Spoofed email address: It can be an email address found on the infected computer or it can be in the form of (fake sender name @ (recipient's domain,), where fake sender name is one of the following

Example:

• Info
• FehlerMail
• Webmaster
• ReMailer
• Lisa
• Peter
• Michael
• Thomas

Subject (With FwD: as Prefix) lines are:

Example:

• hi there!
• hey dude!
• wazzup!!!
• yeah due :P
• Oh God it's
• damn!
• registration confirmation
• Your Password

Body text could be one of the following:

• yo wazzup :p, well here is ur stuff! good luck! cya!
• hey man! you'll not believe me what i've found on your computer!^^...thats funny dude!, well cya soon
• I was surprised, too! :-(?? who could suspect something like that?
• nice pic u send me! here is mine!

The English version of the message body may also contain one of the following:

• Mail-Attachment: No Virus Found
• X-Mail_Scaner: No virus Found
• Anti-Virus: No Virus Found

followed by

• +-+-+ - Antivirus Service >
• +-+-+ http://www.

The German version of the message body may also contain one of the following:

• X-MailScanner: Kein Virus gefunden
• X-Attachment_Scanner: NO VIRUS
• Anti-Virus service: Es Konnte Kein Virus erkannt werden

followed by

• +-+-+ - Antivirus Service
• +-+-+ http://www.

Attachment: may be one of the following with a .pif, .zip, .scr, .bat or .com extensions

• stuff
• your_docs
• private
• ohyeah
• photo
• shock

Attachment: may also be in the form of [ recipient's domain ].[ first extension name ].zip where the first extension name is one of the following:

• .txt
• .doc
• .word
• .xls
• .eml
• .TXT
• .DOC
• .EML

W32/Sober.j@MM will copy itself twice to the %System% folder while using a constructed may be simular to one of the following:

• datadiscwin.exe
• cryptservice.exe
• runlog32.exe

Symptoms

• Error Message as the one mention above
• SMTP network traffic
• Network traffic to port TCP37
• Desktop Firewalls alerting the user that a new application is trying to get access to the internet

NAI has released SuperDat 4409 and later to detect and remove variant W32/Sober.j@MM.

Symantec have released virus definitions 11/19/04 and later to detect and remove w32/Sober.j@mm. Definitions are available through the LiveUpdate feature of Symantec Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_130130.htm from NAI.
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.