Latest alert from 'Trend' - this worm:

WORM_SOBER.AG

seems to be spreading fairly fast at the moment.

I am getting 3-4 emails a day with this title, generated by this worm.

NB Infected machines will NOT show any obvious outbound email activity.

Emails it sends may contain one of the following titles:

hi,_ive_a_new_mail_address
. Mail delivery failed
. Registration Confirmation
. smtp mail failed
. Spam: Registration Confirmation
. Your Password
. Your IP was logged
. Paris_Hilton_&_Nicole_Richie
. You visit illegal websites

****DO NOT OPEN*****. IF you open one of these emails, the worm will execute and infect your machine.

When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.

This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.

***NB Do NOT send this message to all your friends!!!***

IF you do not run an antivirus programme, watch out for these emails and get one!

It is also worth reminding folk using OE that using the email 'Preview' function can allow emails to open and run themselves.

It is definitely spreading! 3 out of 5 emails at the moment on average.

Should have kept quiet!! 12/13 this time.:{

Norton broadcast an Outbreak alert earlier today, but it is time for everyone to update their anti virus definitions I think.


Conan

It is also worth reminding folk using OE that using the email 'Preview' function can allow emails to open and run themselves.

Alway curious about this. I don't preview emails as such. But, by right clicking on an email, selecting properties, details and then message source, it is possible to view the details of a mail.

Could this method be considered as 'opening' the email? Can this allow a virus to be executed?

Very timely warning - got one today and I think I have only ever had one other suspicious thing before, so thanks.

Mine was titled 'mail delivery failed' and addressed to someone other than me strangely. The worm did not appear to be in the email but in zip file attachment - which did not get run.

Got the Norton outbreak alert at the same time - but why if I have automatic updates selected does it simply come up with the alert, with a click here to 'protect me' button. That seems like a manual update to me!

Hew - I have always wondered too! Anybody know for sure?

Got the Norton outbreak alert at the same time - but why if I have automatic updates selected does it simply come up with the alert, with a click here to 'protect me' button. That seems like a manual update to me!

NAV checks for updates every 4 hours ...... could be just Timeing .... a good habit to get into is to hit the 'Live Update' button as soon as you log onto the web ..... doesn't take a sec and you will be starting a web session with NAV bang up to date every time

The Outbreak alert came through to me a few minutes after logging on but stated I was already protected (because I had run the 'Live Update' as soon as I logged on per normal)
:ok:

I'd imagine, unless told specifically otherwise, that preview does indeed constitute opening said email...

I'll give my reasons to be cautious unless someone else knows better....

Outlook will happily display emails which are in html format. Now if Outlook or OE defines it's own browser to read said emails then all is probaby well and good, providing you don't manually open it.

However if Outlook uses a plugin of Internet Explorer to preview or read the email then it could be a problem as IE will automatically download executable files of certain file extensions (like .ocx) and run them. Windows tends to use plugins, termed, I think, OLE's for stuff like showing Excel tables in Word etc so I'd be very cautious....

Norton should scan and screen emails, both in and outbound. But only of use if the virus signature is recognised!!!! So - don't get your knickers in a terminal twist fellow sufferers - well, not if you update regularly and are also healthily skeptical... I think I am fairly safe, as I wear rubber gloves and a condom whilst at the keyboard.


Conan

as I wear rubber gloves and a condom whilst at the keyboard - well, that gives us a clue to your surfing habits...:D

Received several this morning myself.
It apears that hotmail wont allow you to open the attached file due to the virus.

I've checked and Outlook does indeed use OLE technology to show html content so preview will downoad the virus to your system.

Looks like another incarnation of the ActiveX security bugs which allow automatic execution of automiaticall downloaded code.

I think theres a registry setting which allows you to turn this off (safe_for_scripting rings a bell) but until I look it up you'd be better off disabling preview in Outlook else you could accidentally preview it, especially if you have multiple copies of the email on your system.

True enough that Norton etc scans emails but there are so many ways around this feature, which are built into the script kiddie tools, that I wouldn't rely on it.

Away for 3 days and the joy of 97 infected emails waiting for me on return! Luckily all trapped by mailwasher and anti-virus, but WHEN WILL these people get antivirus protection??:mad:

This is becoming a serious outbreak.

EDIT TO ADD: new notification of another 're-surfacing' of 'WORM_MYTOB.MX' with extra email 'titles' to watch for AND NOT OPEN!!

DETECTED Online User Violation
? Important Notification
? MEMBERS SUPPORT
? Notice Account limitation
? Security Measures
? WARNING MESSAGE YOUR SERVICES NEAR TO BE CLOSED
? You have successfully updated your password
? Your Account is Suspended
? Your Account is Suspended For Security Reasons
? Your password has been successfully updated
? Your Password has been updated

.......and quite a smart move to, as the email says:

"Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. "

- got to hand it to them........

We now have 3 separate threads on the same outbreak! This one is big. Given a few more days and I think it will clog up the email systems. Both 'mytob' and 'sober' are now lead warnings on most anti-virus web sites.

It is worth repeating for the 84th time, it matters not whether you DO 'visit illegal sites' or not, or if you have passwords that may have expired. IF just ONE of your acquaintances has your email address on their computer, and they are stupid/unprotected or whatever enough to open a virus attachment, these worms will infect them and send to most if not all of the email addresses they hold INCLUDING yours. If YOU are stupid/unprotected.................................

Urge ALL your friends/email contacts to
1) Get an anti-virus sprogramme
2) Keep it updated
3) Not to open ANY attachment that they are not expecting

Re 2) - any update frequency is better than none, but it is best to choose a programme with frequent updates and set your machine to take the highest frequency. YOU are, of course, well protected and updated, aren't you? There are FREE anti-virus packages out there, if money is a problem!

Again, to repeat - most of these viruses forge the 'from' address on an email, so you cannot tell from where it really came. Most of them (and these 2) have their own email sending programme 'built in' - they do NOT use yours, be it outlook etc or whatever. It is extremely difficult to tell if YOU are sending these out as there is no indication (without a firewall), and they WILL be doing it whenever you are 'on-line'

To be fair to the email client vendors they do make it very difficult to send malicious virus containing emails, however that dosn't stop the virusmongers from using any email server with an open port 25 from spreading these things from the command line.

The only way to prevent your computer becoming infected through ActiveX bugs is to turn off ActiveX scripting, though even this still allows ActiveX to be abused through the Office dlls.

Go to Tools > Intenet Options > Security > Custom and check the disable radio button for ALL of the ActiveX options. This will stop IE (I'm assuming that anyone who uses Moz / FF / Opera knows what they're doing) from running malicious code from websites.

If you run into a site which uses Flash etc then add it to the trusted sites list in the above and you'll stil be able to view them.

This however only works for IE, most people don't realise that Outlook, OE etc can have their own settings.

In OE (sorry, don't have a copy of Outlook to hand) go to Tools > Options > Read and untick the download to preview in preview pane. The go to > Security and set the Zone to Restricted Sites, which you should then configure in IE for later versions of OE. Older versions allow you to configure the zone yourself (which I think was better).

This still dosn't completely prevent ActiveX scripts from running on your computer through email though. Bugs in Access and Powerpoint dll's will still allow malicious code to run automiatically unless you set an admin passoword for each Office component (yes really).

To the best of my knowledge these isues have only partly been fixed (the Access vulnerability is particularly nasty) however the workaround is....

Tools > Security > User and Group Accounts > Admin > Change logon password Tab. Assign a password. This should prevent VBA code being run with root privileges. Any coders out there I'm sure knows just what could be done with this vulnerability.

Microsoft has patched various loopholes over the last couple of years (before that (most of these vulns have been known about since 99 or 2000) they simply say on their bottoms and trotted out the company line that, "It wasn't their fault that people abused email" :mad: :mad: :mad: ) however most peeps tend to wait until a Service pack is available.

Don't, use the microsoft website to check for updates, which, btw, require ActiveX.......

Win XP can be a secure system, my problem with it is that you need to be close to a qualified sysadmin to make it so. Oh and lets not forget that there are nasties out there which can change your security settings even if you are conscientious enough to dimble them :mad:

Partly to bring this back to the top, as it is still 'prevalent', and also to advise of a warning for the 'Happy New Year':{

Possibly on the 5th of January or 6th of January, a new SOBER variant is expected to be released by the same group that caused the recent WORM_SOBER.AG outbreak in November.

It is thought that WORM_SOBER.AG will download an executable file 'Sober.exe' on these dates (encrypted within the SOBER.AG worm). The URLs involved are 'hidden' and an algorithm based on the date will generate the exact URLs.

With acknowledgements to Trendmicro.com

May I also remind all that this company offer an excellent 'online' check of your machine 'as is', via
this site. (http://housecall.trendmicro.com/) Yes, it does poke around in your 'innards' but I have been using it fairly regularly for several years without any problems.

Just found this
http://www.nbc12.com/servlet/Satellite?pagename=WWBT%2FMGArticle%2FWBT_BasicArticle&c=MGArticle&cid=1128768964649

A computer virus called the “Sober Worm” is set to strike next week and may already be on many computers. Experts say it could disrupt the internet worldwide when it activates.

The Sober Worm virus is set to strike January 5, which coincides with the anniversary of the founding of Germany's Nazi Party. The virus is said to spew forth millions of e-mail messages filled with pro-Nazi propaganda in English and in German.

Many worm viruses aim at taking personal information and sending it to those who can use it for their own reasons. This virus aims at disrupting the tool many have come to rely on: the internet.

It's already been found on thousands of computers waiting to activate.

“I would assume that no matter what computer you have, you've got to worry about it,” said computer virus expert Joshua Nelson. “Just keep up a few key things and you can be okay.”

Nelson said the last variant was on 60 percent of all computers in less than a week. This “Sober Worm” virus is being passed around as an email attachment.

Though it has the potential to cripple personal computers, there's still time to protect yourself. Find out if your computer already has the “Sober Worm” virus with anti-virus software like Norton and McAfee.

3 and a bit days to go?

Possibly on the 5th of January or 6th of January, a new SOBER variant is expected to be released by the same group that caused the recent WORM_SOBER.AG outbreak in November...........err - did I miss something?:confused:

From Yahoo News:

Kama Sutra Worm Set for Attack on Feb. 3 (http://news.yahoo.com/s/nf/20060201/tc_nf/41336;_ylt=AnFiv8XUNUt2rDUNmjasZkTJ2sUA;_ylu=X3oDMTBiMW04NW9 mBHNlYwMlJVRPUCUl)

NewsFactor - Wed Feb 1, 6:54 PM ET Security analysts are warning computer users about a new and potentially destructive Internet worm that can obliterate important documents. The worm, called Kama Sutra, is making the rounds now, but is scheduled to execute its first massive attack on February 3. The malicious worm targets computers running Windows and spreads primarily by copying itself to shared network locations and then sending itself to e-mail addresses found on afflicted computers. With subject lines that read "the best videoclip ever," "give me a kiss," and "school girl fantasies gone bad," the worm entices computer users to open the attached file.