First, let me say I normally do not send these things out when I get them. (If this is not suitable for any of these groups, all that I request is the Owner or a Moderator to tell me so.) However, when a company as large as NCR Corporation sends it out to every Associate worldwide and all Associates of their subsidiaries, I tend to sit up and take notice. Also, my husband, who works for a subsidiary of NCR got an infected email. (The one supposedly from the FBI.) Thankfully, he reads all his using Outlook's Web Mail client.
I am including the text that the Network Administrator sent out earlier today in the text of this email as I try not to send attachments. Please, please be careful and if unsure about an email don't open it. As of right now the anti-virus people, Symantic / Norton and Network Associates / McAffe have yet to update thier Virus Definition files to combat this worm. Also, since it is a memory resident worm, you could be infected and not know it but infect a whole lot of other machines.
Here is the text from the Network Administrator. I have compressed some of the white space out as it was a little unreadable. What ever you do, DO NOT open the attachment. It would be a good idea to add the subject lines to your SPAM identifier.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.AG. TrendLabs has received several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand.
This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.
The email it sends out has the following details:
From: {Email address generated by this worm}
Subject: (any of the following)
• hi,_ive_a_new_mail_address
• Mail delivery failed
• Registration Confirmation
• smtp mail failed
• Spam: Registration Confirmation
• Your Password
• Your IP was logged
• Paris_Hilton_&_Nicole_Richie
• You visit illegal websites
Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa
---
This is an automatically generated Delivery Status Notification.
SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached
---
Account and Password Information are attached!
***** Go to: Error! Hyperlink reference not valid.
***** Email: {random}.com
---
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000
---
Account and Password Information are attached! ---
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;) Download is free until Jan, 2006!
Please use our Download manager.
Attachment: (any of the following)
• mailtext.zip
• mail.zip
• reg_pass.zip
• mail.zip
• reg_pass-data.zip
• question_list.zip
• list.zip
• downloadm
• mail_body.zip
The attached .ZIP file contains the copy of this worm using the following file name:
File-packed_dataInfo.exe
When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.
This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.
For more information on WORM_SOBER.AG, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.AG
--
Mary P. Blanton, Owner
The Needlework House
3360 Satellite Blvd
Suite 5
Duluth, GA 30096
(770) 622-4249
[log in to unmask]
[log in to unmask]
http://www.needleworkhouse.com
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|