The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

We Build the Best & Repair the Rest! ©

Top 10 malware reported to Sophos in May 2005

Position

Last
month

Malware

Percentage of reports

New

W32/Sober-N

43.8%

W32/Zafi-D

14.5%

W32/Netsky-P

13.1%

W32/Netsky-D

3.1%

W32/Zafi-B

2.0%

New

W32/Mytob-AZ

1.6%

W32/Mytob-Z

1.5%

W32/Netsky-Z

1.5%

New

W32/Mytob-E

1.5%

New

W32/Netsky-N

1.4%

Others

16.0%

W32/Sober-N is a mass-mailing worm which sends itself to addresses harvested from the infected computer.

The email sent by W32/Sober-N depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:

Subject line:

Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurdeverweigert
Ich bin's, was zum lachen :)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung
Ich habe Ihre E-Mail bekommen!

Message text:

Herzlichen Glueckwunsch,

Passwort und Benutzer-Informationen befindensich in der beigefuegten Anlage.

Diese E-Mail wurde automatisch erzeugt

Mehr Information finden Sie unter <URL>

Folgende Fehler sind aufgetreten:

Fehler konnte nicht Explicit ermittelt werden

End Transmission

Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.

Wir bitten Sie, dieses zu beruecksichtigen.

Nun sieh dir das mal an!

--- FIFA-Pressekontakt:
beim Run auf die begehrten Tickets fnr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.

Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

Mail-Scanner: Es wurde kein Virus festgestellt,AntiVirus: Kein Virus gefunden,AntiVirus-
System: Kein Virus erkannt

Attached file:

Fifa_Info-Text.zip
okTicket-info.zip
our_secret.zip

The attached filenames may contain an optional prefix of "error-" or an optional suffix of "-Text" followed by the ZIP extension. Example: our_secret-Text.zip

Email sent to other addresses will have the following characteristics:

Subject line:

mailing error
Registration Confirmation
Your email was blocked
Your Password

Message text:

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached
(See attached file: <zip file name>)

Account and Password Information are attached!

Visit: <URL>

*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)

Account and Password Information are attached!

Visit: <URL>
(See attached file: <zip file name>)

Account and Password Information are attached!

Visit: <URL>

*** Server-AntiVirus: No Virus (Clean)
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)

ok ok ok,,,,, here is it

*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)

Attached file:

mail_info.zip
account_info.zip
our_secret.zip

The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.

The ZIP file will contain an executable file named Winzipped-Text_Data.txt<spaces>.pif

The From address line will be faked.



A typical email sent by the Sober-N worm.

W32/Sober-N attempts to disable anti-virus products. When it does so, the worm may display a message box containing the following text:

No Viruses, Trojans or Spyware found!
Status: OK



The Sober-N worm can display a message box

This web is optimized for 800 x 600 monitor resolution or above and the latest web browser. Get the latest IE or Netscape web browser. (you need to connect to the internet first)