A new version of the Sober worm appeared on the Internet early Friday morning and already it is having quite a bit of success infecting users in Europe through the use of social engineering.
Sober.J arrives in an e-mail message that appears to be a returned-mail error message, telling the user that an e-mail sent earlier has bounced. The message typically contains a .zip, .bat, .com, .scr or .pif attachment and a body text that is some variation on the following:
This mail was generated automatically.More info about –YAHOO– under: http://www.yahoo.com——-
Occured_Errors:178.218.194.86_
does_not_like_recipient.# 185:
MAILBOX NOT FOUND# 144:
Giving_up_on_178.218.194.86.# 533:
This_account_has_been_discontinued_
[#413].End——-
The original mail is attached.Auto_Mail.System: [yahoo]
The subject line of the e-mail message varies, but often indicates that the message is a warning about a bounced e-mail, such as:
Delivery_failure_notice
Faulty_mail delivery
Mail_delivery failed
When the recipient opens the attachment, the worm displays a fake error message saying that a portion of the WinZip software is missing. The worm then copies itself to the Windows System folder in two separate locations, using filenames that it constructs dynamically from a small set of common strings, including sys, spool, crypt, host, dir, service, win, run, 32, data, and a few others, according to an analysis by McAfee Inc., based in Santa Clara, Calif. The filename always ends in “exe.”
Sober.J then creates several registry keys to ensure it will be run on startup and searches for e-mail addresses on the infected machine. It then begins mailing itself to all of the addresses it finds.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.