4/19/2005  All Ball State University computer users should be aware of an ongoing threat of the Sober.N worm.  Sober.N is a mass-mailing worm that arrives on a system as an e-mail attachment and spreads through file-sharing networks.  It sends copies of itself to all e-mail addresses it gathers from files with certain extensions but skips those addresses that contain particular strings.  The e-mail may be in either English or German.  The e-mail is spoofed and may appear to have come from a familiar e-mail address.

Systems Affected:  Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003e, Windows XP.

The e-mail will have the following characteristics:

From:      Spoofed.

Subject:  I've_got your EMail on my_account! 

Body:

Hello,

First, Very Sorry for my bad English.

Someone is sending your private e-mails on my address.

It's probably an e-mail provider error!

At time, I've got over 10 mails on my account, but the recipient are you.

I have copied all the mail text in the windows text-editor for you & zipped then.

Make sure, that this mails don't come in my mail-box again.

bye

Attachment:   your_text.zip

Note:   The attachment is a zip file containg a copy of the worm. The file name within the zip file is mail.document.Datex-packed.exe.

Attempts to terminate processes that contain the following strings:

• mrt.exe
• chp*.tmp
• asw*.tmp
  

As a general rule, users should avoid opening the attachments of unsolicited e-mail. To protect your PC from this worm you should be running Symantec virus definitions version 70419b (extended version: 4/19/2005 rev. 2) or greater are required to detect this threat.  If you do not have Symantec AntiVirus already installed on your computer system please visit http://www.bsu.edu/antivirus/.

Also all Windows computer users should be perform regular updates by going to http://windowsupdate.microsoft.com/ or by configuring the Windows Update Service to perform automatic updates to your computer.