Topic: Mass Mailing Worm

[Willy Mammoth]

There is a new Mass Mailing Worm out and somebody on this forum is infected. I /we have been getting emails with Zip attachments that are bogus. If you get these do not open them, the Zip attachment is the worm. Please check here for more information and check your system for this.

 http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html
Thanks for practicing safe computering,
Mark

[FATB0Y]

Thanks for practicing safe computering,
Mark

I wear a rubber when online

[Willy Mammoth [OP]]

Me to it's easier to clean up after


But really I got an email error from Postmaster@pirate4x4.com, service@marlincrawler.com and a few others which leads me to believe it is someone on this site that is infected.

[Lady Di]

and I got the same ones but have never been on pirate4x4.com or at least if I have I have never posted there, and I don't email anyone from there that isn't on Marlin, so it's got to be someone that has both my and Mark's address as well as pirate and marlin, as well as quite a few others such as these in my screen capture. All the attachments are zip files:

[RUGER]

Me to it's easier to clean up after


But realy I got a email error from Postmaster@pirate4x4.com, service@marlincrawler.com and a few others which leads me to belive it is someone on this site that is infected.

could be me ...my roomie got something like that last night too. didn't say who it was from...i'll ask him when he gets back from working on his engineering project.

i checked my pirate4x4 email(its in my profile) and i got 9 emails that are titled virus found and email was blocked. they are all in my inbox...i wasnt planning on opening them anyway(they all have todays date on them).
my other email addys dont have anything like that.

how do you get these worm thingys...what do they doo. i didnt send any emails to you.

happy trails
rich *ruger*    

[Willy Mammoth [OP]]

I talked to my web provider service tech and he said it is sent in an email. It was just found today. Go to the link above and read up on it. I just downloaded the latest version of Norton Internet Security.

[Lady Di]

it's a crazy world out here. Not a good idea to surf unprotected for sure. Who the emails are from won't tell you anything as these worms take the addresses from the address books and use random names from there for the TO: box as well. So just because it says it's from so&so doesn't mean anything.
All you have to do is have the email addresses in your address book. Did you have either mine or marks? Did any of those other email addresses look familiar?

Is your roomie on marlin or pirate?

[FATB0Y]

I have Earthlink and they scan my e-mail B-4 I even get it in my mailbox.

[RUGER]

i read some of the link you posted...i dont really understand computer lingo.
so could it be me er not. there are lots here that frequent both pirate and marlin.

happy trails
rich *ruger*  

[Lady Di]

could be me ...my roomie got something like that last night too. didn't say who it was from...i'll ask him when he gets back from working on his engineering project.

i checked my pirate4x4 email(its in my profile) and i got 9 emails that are titled virus found and email was blocked. they are all in my inbox...i wasnt planning on opening them anyway(they all have todays date on them).
my other email addys dont have anything like that.

how do you get these worm thingys...what do they doo. i didnt send any emails to you.

happy trails
rich *ruger*    

From the link above:

W32.Sober.O@mm is a mass-mailing worm that sends itself as an email attachment to addresses gathered from the compromised computer. It uses its own SMTP engine to spread. The email may be in either English or German.

English:

Subject:
One of the following:


Re:Your Password
Re:Registration Confirmation
Re:Your email was blocked
Re:mailing error
Re: [blank]

Message:
One of the following:


ok ok ok,,,,, here is it


Account and Password Information are attached!
Visit: http:/ /www.[random domain]


This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached

Appends one of the following randomly to the bottom of the message:


Attachment-Scanner: Status OK
AntiVirus: No Virus found
Server-AntiVirus: No Virus (Clean)
http:/ / www.[random domain]

Attachment:
One of the following:


our_secret.zip
mail_info.zip
error-mail_info.zip
account_info.zip
account_info-text.zip

Note: The attachment will be a zip file containing a copy of the worm. The file name within the zip file will be Winzipped-Text_Data.txt[many spaces].pif or Winzipped-Text_Data.txt[many spaces].exe.

[FATB0Y]

  

[Willy Mammoth [OP]]

Don't mean to scare anyone, but it could be anybody. It could also be many here. These things tend to get around. Best thing you could do is get a good security program like Norton Internet Security and just don't open any email unless you know where it came from. Know your senders and how they address you and watch out for attachments that don't look rite.

[FATB0Y]

Mrs W. I'll ditch the Pic. If it Makes You happy.

[RUGER]

thanks mrs willy...that helped a buntch.

i dont think my roomies on here. hes got 90 mustang(basicly stock) and is on various engineering projects. the super mileage car, and a little on the baja. we really dont talk alot...we're getting better but we will only be living together fer another 3 weeks(dorms). its kinda sad hes opening up with such little time left.

happy trails
rich *ruger*  

[FATB0Y]

but seriously, I do appreciate the removal of the picture.

U R

[Lady Di]

U R

   

[Willy Mammoth [OP]]

  Do we need to start a bashing other members page? Get your own thread. Like Mike has said before http://board.marlincrawler.com/index.php?topic=10636.new#new

[Lady Di]

But we already shook hands and made up, but you are right. My bad. 

Anyway, back ON TOPIC:

One easy way to find out if you are infected is to check in your registry.

From your Start bar, click on RUN... and type in REGEDIT.

This will bring up your registry editor.

DO NOT MUCK WITH ANYTHING HERE UNLESS YOU KNOW WHAT YOU'RE DOING!

Just look for these files by navigating the folders to this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

in the Run folder look for:

" WinStart" = "%Windir%\Connection Wizard\Status\services.exe"

and in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

look for:

"_WinStart" = "%Windir%\Connection Wizard\Status\services.exe"

these cause the virus to autorun when you start your computer.

[Rocksurfer]

I have AVG anti-virus, ad-aware and STINGER to keep the creepy crawlies out of my computer. My daughter used to have Norton and she continually had virus's sneekin' in some how.  I went to her house and installed AVG and it found something like 150 virus's, 70 Trojan horse's and something that AVG detected but could not remove, probably a worm. I had the same experience with Norton and is why I got AVG and AVG found about 70 or so virus's that Norton didn't.  As to the worm my STINGER  will deal with that silly little parasite.

[BLACKDOG]

I have recieved worms from someone on this forum a while ago, and you odnt have to be emailing buddies.  I had never emailed him when they started popping up.  I spoke to him on PM about it, and he had no idea it was happening.  I havent gotten anyfor a while, every once in a while I still get one.

[brainlessfool]

I had a couple of "e-mail eorres" on my e-mail yesterday.  I don't have Mr. willes e-mail ads. so I don't know what to think.   

[WHITE_TRASH]

Ive been getting a grip of crap junk mail lately.  All of it is 73k so its all the same crap.  I havent opened anything as of yet nor do I plan on it.  In the past few days Ive gotten 31 junk e-mails, usually I only get 2 or 3 tops per week.  So Id bet its the worm eh?

[Lady Di]

I have recieved worms from someone on this forum a while ago, and you odnt have to be emailing buddies. I had never emailed him when they started popping up. I spoke to him on PM about it, and he had no idea it was happening. I havent gotten anyfor a while, every once in a while I still get one.

who the email says the email is from is not necessarily where it came from.

Typically what they do is take any random name out of the sucker, erm, I mean victims address book and put that as the FROM name, so you don't know where it is coming from.

As far as having our addresses, if whoever opened the zip file (btw - good rule of thumb, never open an attachment unless you are sure of where it came from, especially a ZIP or EXE file, but worms can be imbedded in HTML emails too) in the first place had the address of someone else who then opened it, thereby sending it to everyone in their address book, and then went to someone that had our address, that could have all morphed and been included to look like it was coming from an entirely different source.

This isn't particularly harmful but will implant itself in your registry so it autoruns everytime you start you computer and mails itself out again. THe most that this one does it clog up the bandwidth and crash websites.

Most of the Antivirus sites, Symantec, McAfee, AVG, Panda, probably even Windows will have removal tools for this.

[UNBREAKABLE]

I wear a rubber when online

[Lady Di]

and for the geeks that crawl among us:

http://mvps.org/winhelp2002/hosts.htm

[FATB0Y]

 

who the email says the email is from is not necessarily where it came from.

Typically what they do is take any random name out of the sucker, erm, I mean victims address book and put that as the FROM name, so you don't know where it is coming from.

now I gotta go pee