Current Students Faculty and Staff Alumni Parents Business Partners
Directory Contact Us A-Z Index
Admissions Athletics
Virus Alerts
Email This Email a Friend   Print This Print   Larger Font Larger   Smaller Font Smaller
W32.Sober.X Worm
 11/22/2005  All Ball State University computer users should be aware of an ongoing threat of the W32.Sober.X worm.  W32.Sober.X is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an e-mail attachment to addresses gathered from the compromised computer. The e-mail may be in either English or German. Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Also Known As:  CME-681, WORM_SOBER.AG [Trend Micro], W32/Sober-{X, Z} [Sophos], Win32.Sober.W [Computer Associates], Sober.Y [F-Secure], W32/Sober@MM!M681 [McAfee]

The W32.Sober.X attempts to send a copy of itself to the email addresses gathered. The e-mail may be in either English or German, and has the following characteristics:

  • From: [SPOOFED]

    Subject:
    One of the following:
  • Your Password
  • Registration Confirmation
  • smtp mail failed
  • Mail delivery failed
  • hi, ive a new mail address
  • You visit illegal websites
  • Your IP was logged
  • Paris Hilton & Nicole Richie
  • Message:
    One of the following:
  • Account and Password Information are attached!
    Protected message is attached!
    =====dHSd9SZd;99zZ((EEEA
    =====dw1W)6ZdzSL91WR
    ***** Go to: [http://]www.[DOMAIN NAME OF SENDER]
    ***** Email: postman
  • This is an automatically generated Delivery Status Notification.
    SMTP_Error []
    I'm afraid I wasn't able to deliver your message.
    This is a permanent error; I've given up. Sorry it didn't work out.
    The full mail-text and header is attached!
  • hey its me, my old address dont work at time. i dont know why?!
    in the last days ive got some mails. i' think thaz your mails but im not sure!
    plz read and check ...
    cyaaaaaaa
  • Dear Sir/Madam,
    we have logged your IP-address on more than 30 illegal Websites.lease answer our questions!
    The list of questions are attached.
    Yours faithfully,
    Steven Allison
    Department Office Admin Mail Post
    ===dkX XbW6dxPbXWPdSDd@R2XL9)CW9)SRd?kx@?
    ===dt4OduXRRL062WR)Wd.2XRPX,dKa,dnSS1d4vvy
    *** Federal Bureau of Investigation -FBI-
    *** 935 Pennsylvania Avenue, NW, Room 3220
    *** Washington, DC 20535
    ++++ Central Intelligence Agency -CIA-
    ++++ Office of Public Affairs
    ++++ Washington, D.C. 20505
    ++++ phone: (703) 482-0623
    ++++ 7:00 a.m. to 5:00 p.m., US Eastern time
  • The Simple Life:
    View Paris Hilton & Nicole Richie video clips , pictures & more ;)
    Download is free until Jan, 2006!
    Please use our Download manager.

    Attachment:
    One of the following:
  • reg_pass.zip
  • reg_pass-data.zip
  • mail.zip
  • mail_body.zip
  • mailtext.zip
  • list[RANDOM CHARACTERS].zip
  • question_list[RANDOM CHARACTERS].zip
  • downloadm.zip

The attachment will contain the following file, which is a copy of the worm:

File-packed_dataInfo.exe

To protect your PC from this worm you should be running Symantec virus definitions version 11/22/2005 rev. 5 or greater are required to detect this threat.  If you do not have Symantec AntiVirus already installed on your computer system please visit http://www.bsu.edu/antivirus/.

Also all Windows computer users should be perform regular updates by going to http://windowsupdate.microsoft.com/ or by configuring the Windows Update Service to perform automatic updates to your computer.


Ball State University Copyright © 2008 Ball State University   2000 W. University Ave. Muncie, IN 47306
800-382-8540 and 765-289-1241
Legal Information    |    Employment    |    TTY Numbers
"Education Redefined" is a registered trademark of Ball State University.