Virus Notice-- emerging ESMTP capable virus!

Straight_ManStraight_Man Geeky, in my own wayNaples, FL Icrontian
edited October 2003 in Science & Tech
http://www.viruslist.com/eng/viruslist.html?id=302666

This link is to a virus encyclopedia entry at Kaspersky Lab's virus list (think of it as equivalent to Symantec's Virus Encyclopedia) that masquerades as a Norton Antivirus fix that uses system settings to get around a purported problem with NAV fighting SoBig. The attachment is typically caleld NAV.gif and it si NOT a picture, it IS a virus payload that might be related to the SoBig worm as one of the things it does is uses an ESMTP engine that sends email with the attachment and praises the SoBIG creator in the email and the code of virus. So far as is known now, this is an ALL-Windows virus and it grabs email addresses from not only email address books but any html files on your computer. Kaspersky is classing it as an epidemic potential virus.

Purge any email with a NAV.gif attachment on arrival, please, admins.

I AM GOING TO QUOTE THE Kaspersky EMAIL TO ME IN ITS ENTIRETY:

General News. Tuesday, October 28, 2003
******************************************************************

1. Sober Sings the Praises of Sobig
2. How to subscribe/unsubscribe
3. Security Rules

****

1. Sober Sings the Praises of Sobig

A new Internet worm lavishes praise on the author of Sobig while
masquerading as anti-virus software.

Kaspersky Labs, a leading expert in data security software development,
warns about the start of a virus epidemic from the Sober Internet worm.
Sober was first detected this past Saturday, but is now observed surging
in activity in connection with the beginning of the workweek.

Sober is a classic Internet worm that spreads via e-mail. Infected
e-mail messages can have various body texts in English and in German;
additionally the infected file attachment can have one of several file
extensions (PIF, BAT, SCR, COM, EXE). All of this makes it significantly
more difficult to identify from outside appearances.

Example of a message infected with the Sober:

Subject: New Sobig-Worm variation (please read)

Message body text: New Sobig variation in the net. You must change any
settings before the worm control your computer! But, read the official
statement from Norton Anti Virus!

Attachment name: NAV.pif

If the infected attachment is mistakenly opened the Sober worm is
activated and proceeds to display a false error message:

File not complete!

Using different file names, Sober creates three copies of itself in the
Windows system directory, and registers these copies in the system
registry's auto-run key. Next, the worm launches its spreading routine
in which Sober first searches victim computers for files that may
contain e-mail addresses (such as HTML, WAB, EML, PST, etc. file types),
and then clandestinely, under the guise of the computer owner, sends
itself out to the e-mail addresses found.

The worm's body contains text strings in which its author expresses his
admiration for the creator of another network worm, Sobig.

The defense against Sober has already been added to the Kaspersky
Anti-Virus database. More detailed information about this malicious
program can be found in the Kaspersky Virus Encyclopedia -
http://www.viruslist.com/eng/viruslist.html?id=302666



**
1. Write to us at: webmaster@kaspersky.com


2. How to subscribe/unsubscribe

If you would like to subscribe to other Kaspersky Labs news blocks or
to unsubscribe from this news block, you can do so by visiting
http://www.kaspersky.com/subscribenow.html

3. Security Rules

Please note that Kaspersky Labs news messages are sent only in plain text format and never under any circumstances do they include file attachments. If you receive an email not meeting these strict guidelines, please under no circumstances open it. Instead, forward it to Kaspersky Labs technical support (support@kaspersky.com) so its contents can be examined.

If you experience any problems with this procedure, please contact us at:
webmaster@kaspersky.com

****

Best regards,

Kaspersky Labs

10 Geroyev Panfilovtcev St.
125363, Moscow,
Russia
tel: +7 (095) 797 87 00
fax: +7 (095) 948 43 31
http://www.kaspersky.com
ftp://ftp.kasperskylab.ru
webmaster@kaspersky.com
Sign In or Register to comment.