Looks like it is going to be a long week.
WORM_SOBER.AG - Description and solution
As of November 21, 2005 2:20 pm (Pacific Standard Time, GMT -8:00) TrendLabs has declared a Medium risk alert in order to control this new SOBER variant that is currently spreading in USA, Canada, Brazil, New Zealand, Belgium, and Germany.
To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
We would like to know what you think about the Behavior Diagram, our latest Virus Encyclopedia feature. Please click here to send us your comments, suggestions, or feedbacks.
This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, affected users are often unaware that this worm is sending out email messages from their machines.
The email messages it sends out may be written in English or in German. Below is a sample of the email message it sends:
Like other mass-mailers, this worm utilizes social engineering techniques, such as promising users of celebrity pictures or alerting them for alleged illicit behavior, in order to entice users into opening the attached worm copy on the email messages it sends. Specifically, some versions of this worm email spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), notifying the user that the agency has found evidence of the user supposedly visiting illegal Web sites. Similarly, one of the German email messages spoofs Bundeskriminalamt, and threatens legal action against the user's alleged downloads of films, software, and MP3 files.
This worm also displays the following fake error message in order to trick a user into thinking that the file did not properly execute:
It also displays the following message boxes:
This worm is also capable of terminating processes that contain certain strings. Moreover, it searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.
You can find more details on this virus here.