Jump to content

new worm, watch out.


Recommended Posts

there's a new worm spreading on the web today. Apparently, it has hit Europe already, so update your AV and firewall. Also, watch out for suspicous email attachments and stuff. Just be careful guys, don't want your precious system got bugged down and not be able to use for awhile. We all know what a pain that is.

Sober.J arrives in an e-mail message that appears to be a returned-mail error message, telling the user that an e-mail sent earlier has bounced. The message typically contains a .zip, .bat, .com, .scr or .pif attachment and a body text that is some variation on the following:

This mail was generated automatically.More info about --YAHOO-- under: http://www.yahoo.com-------


does_not_like_recipient.# 185:


Giving_up_on_178.218.194.86.# 533:



The original mail is attached.Auto_Mail.System: [yahoo]

The subject line of the e-mail message varies, but often indicates that the message is a warning about a bounced e-mail, such as:


Faulty_mail delivery

Mail_delivery failed

When the recipient opens the attachment, the worm displays a fake error message saying that a portion of the WinZip software is missing. The worm then copies itself to the Windows System folder in two separate locations, using filenames that it constructs dynamically from a small set of common strings, including sys, spool, crypt, host, dir, service, win, run, 32, data, and a few others, according to an analysis by McAfee Inc., based in Santa Clara, Calif. The filename always ends in "exe."

Sober.J then creates several registry keys to ensure it will be run on startup and searches for e-mail addresses on the infected machine. It then begins mailing itself to all of the addresses it finds.

Link to comment
Share on other sites

Thanks. Got a couple recently.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...