New SOBER variant In-the-wild!

TrendLabs has received several reports regarding this new SOBER variant that is currently spreading in Germany and the United States.

This worm spreads by mass-mailing copies of itself to target recipients. Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.

Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users’ instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.

TrendLabs is working to provide a more in depth analysis of this malware. Details will be posted shortly.

Beschreibung erstellt: 2005-05-02
Beschreibung aktualisiert: 2005-05-02

http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?VName=WORM_SOBER.S

(FROM): %spoofed%

SUBJECT:

Re: Your Password

Re: Registration Confirmation

Re: Your email was blocked

Re: mailing error

FwD: Ihr Passwort

FwD: Ihre E-Mail wurde verweigert

FwD: Ich bin’s, was zum lachen :wink:

FwD: Glueckwunsch: Ihr WM Ticket

FwD: WM Ticket Verlosung

FwD: WM-Ticket-Auslosung

BODY:

Account and Password Information are attached!
Visit: http://www…com

This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
Attachment-Scanner: Status OK,AntiVirus:
No Virus found,Server- AntiVirus: No Virus (Clean)

Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.

- http://www.
- MailTo: PasswordHelp@

**** AntiVirus: Kein Virus gefunden
**** “GMX” AntiVirus Service
**** WebSite: http://www.gmx.de

*** AntiVirus: No Virus found
*** “HBEDV” Anti-Virus
*** http://www.hbedv.com

(ATTACHMENT:

mail_info.zip

our_secret.zip

Fifa_Info-Text.zip

okTicket-info.zip

free_PassWort-Info.zip

Winzipped-Text_Data.txt.exe

Winzipped-Text_Data.txt.pif

http://www.antivir.de/de/vireninfos/index.html

http://de.mcafee.com/virusInfo/default.asp?id=description&virus_k=133409

I think the major thing here is not to panic and exercise safe hex, i.e… don’t go opening email attachments from unknown sources and even then unexpected emails with attachments.

;D
Doing it’s rounds in New Zealand. Received 3 in 1 hour so far.
Don’t open or Run the attached EXE file in the Zipped File.
Zipped file name:= our_secret.zip
Attached File:= winzipped-text_data . txt . exe