p2pnet.net Virus News:- There’s a new worm in town.

Sober.1.

It’s a classic email worm except for its in-built ability to download other files from remote servers, declares the Kaspersky Virus Lab, saying it’s "receiving numerous notifications about the worm from Western Europe".

In most respects, Sober.i behaves like a typical email worm, says the company.

It’s activated only if the infected attachment is oepned, but if that happens, Sober displays a fake error message, namely:

WinZip Self-Extractor. WinZip_Data_Module is missing ~Error.

Then Sobewr.1 creates two files in the Windows directory with random names based on a list in the code, says Kaspersky. "These files harvest emails from the infected machine and send infected messages to these addresses."

The worm registers these files in the system registry auto-run key and creates additional files in the Windows directory and to spread, it scans the local machine for email addresses and mails copies of itself to every addresses it finds via a direct connection to an SMTP server.

"The infected emails have random subjects and body texts in English or German chosen from about a dozen variations," says Kaspersky, adding that he attachment containing the worm can have either a .pif, .zip or .bat extension.

===================

See:-

classic email worm - New Sober on the loose in Europe, Kaspersky Virus Lab, November 19, 2004

This entry was posted on Friday, November 19th, 2004 at 5:38 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1910 times