Saturday, November 20, 2004

Sober.J Worm Strikes -

What is it?

W32/Sober.j@MM is a Medium Risk mass-mailing worm that arrives as an email attachment. When run, the worm displays a series of fake error messages (e.g., WinZip_Data_Module is missing ~Error: {2A0DCCF6}), infects the host computer and emails itself to stolen email addresses using the infected computer's Internet connection.

Up-to-date McAfee VirusScan users with DAT 4409 are protected from this threat.
Note: To fortify your anti-virus defense against threats like W32/Sober.j@MM that need Internet access to spread, we recommend installing McAfee Personal Firewall Plus.

What should I look for?

FROM: Varies (forged addresses taken from infected system)

SUBJECT: Example: FwD: illegal signs in your email

BODY: Example: More info about--GZIP--under:

ATTACHMENT: Examples: mail.4052.scr, verisign.2095.pif, re_mail8831.bat

How do I know if I've been infected?

Fake error messages displayed. Increased network traffic on TCP port 37. Alerts from a desktop firewall (if installed) that a new application is trying to access the Internet.

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (

Madrid, November 19 2004 - This week's virus report looks at five worms-Sober.I, Bagle.BG, Yanz.A, Drew.A and Aler.A-, and a Trojan called Msnsoug.A.

Sober.I is sent by email using its own SMTP engine, in a message either inGerman or English depending on the recipient. It gets email addresses from the infected computer and stores them in files. In order to ensure it is run whenever the computer is started up, it creates several entries in theWindows registry.

Bagle.BG sends itself out in emails with variable characteristics. The action it takes includes opening and listening on TCP port 2002. It acts as a backdoor allowing access to the infected computer. Bagle.BG also terminates processes belonging to certain applications that update antivirus solutions, leaving the computer vulnerable to future attack.

Yanz.A is an email worm that spreads in messages with highly variable characteristics and which displays false sender addresses. It can also useP2P file-sharing programs to spread creating files, with variable names, with copies of itself in folders whose name contains the letters 'shar'.

Both the messages and the shared files it creates, make reference to theChinese singer Sun Yan Zi. Should the file containing the worm be executed, Yanz.A displays a small window with the text "Kernel Hatasi". It also opens and listens on TCP port67. Through this port it will try to download all shorts of malware whichYanz.A will immediately execute.

Drew.A spreads both via email and P2P applications. In the first case ituses its own SMTP engine to send messages with a highly variable format. Both the message subject and text, along with the name of the attachment are chosen at random from a list of options. To spread via P2P applications, Drew.A searches all folders with the text 'share' and copies itself to these folders using names aimed at enticing users such as "Cameron Dias.scr","Delphi 8" and "DrWeb 4.32".

If a user runs one of the attachments with Drew.A, this worm creates two files on the affected computer with copies of itself. At the same time, itsends itself to all entries in the users address book and deletes all fileswith HTM or TXT extension that it finds on the computer.

The last worm we'll look at today is Aler.A which, although it first appeared a few days ago, has been distributed massively over the last week in email messages.

The messages have the subject "Latest News about Arafat!!!", and include two attachments. One of them is an image file with a picture of the funeral of the Palestinian politician.

The other however, contains code designed to exploit a vulnerability in Internet Explorer. Through this flaw, it automatically installs the Aler.A worm which is designed to spread across inadequately protected networks.

Today's report ends with Msnsoug.A, a Trojan that does not spread under its own steam. Once it has infected a computer, it waits for a user to start a MSN Messenger session and sends -to all contacts active at that moment- a text message in Portuguese.

- Panda Software reports the appearance of Sober.I -

Virus Alerts, by Panda Software (

MADRID, November 19, 2004 - PandaLabs has detected the appearance of a newworm called Sober.I. This malicious code is designed to spread rapidly via email in a message that can be written in English or German.

According to data gathered by Panda Software's international tech support network,Sober.I is starting to spread across German-speaking countries, such as Germany and Austria, causing incidents in users' computers.

The messages carrying Sober.I have extremely variable characteristics, as the subject, message body and name of the attachment are all selected at random.

If the user runs the file containing Sober.I, it creates a large number of files on the computer, such as clsobern.isc and nonzipsr.noz,which are copies of the worm, or logsys.exe and syssmss32.exe, which are files used by the worm to carry out its actions.

When it has been run, Sober.I looks for email addresses on the affected computer, which it then sends itself out to using its own SMTP engine.

If the domain of the email address belongs to Switzerland (.ch), Germany (.de), Austria (.at) or Liechtenstein (.li), the worm inserts German texts in the email message. If the domain is any other than those mentioned above theemail will be sent in English.

Finally, Sober.I inserts several entries in the Windows Registry in order to ensure that it is run whenever the computer is started. Due to the high possibility of being infected by Sober.I, Panda Software advises users to take precautions and update their antivirus software.

PandaSoftware has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

In addition, users can scan their computers online for free with the PandaActiveScan, available at For further information about Sober.I visit Panda Software's Virus Encyclopedia