der neue sober a ist sehr aggressiv und tarnt sich recht gut. ich hab den jetzt innerhalb von 3 stunden
ungfähr 12mal bekommen, darunter einge "absender"adressen aus dem forum-user kreis.
passt auf was ihr reinlasst!
hier mal ne definition von sophos, da habt ihr ne auflistung der tarnnamen dabei und entfernungs-anweisungen.
vieleicht hilft es dem einen oder anderen!
gruss
obelix
hier die definiton:
W32/Sober-A
Aliases
I-Worm.Sober, Win32/Sober.A, W32.Sober@mm
Type
Win32 worm
Detection
A virus identity file (IDE) file which provides protection is available now from the
Latest virus identities section, and will be incorporated into the December 2003
(3.76) release of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.
Description
W32/Sober-A is an email worm with the following characteristics:
Subject line chosen from:
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
Now, its enough
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Re: Contact
RE: Sex
Sorry, Ive become your mail
Hey man, long not see you
Re:
Viurs blocked every PC (Take care!)
Surprise
Ive become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
Back At The Funny Farm
I love you (Im not a virus!)
Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Re: Kontakt
RE: Sex
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr geh
Re:
Viurs blockiert jeden PC (Vorsicht!)
_berraschung
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Back At The Funny Farm
Ich Liebe Dich
Attached file chosen from:
anti-Sob.bat
Anti-Sob.bat
anti-trojan.exe
anti_virusdoc.pif
AntiTrojan.exe
AntiVirusDoc.pif
Bild.scr
check-patch.bat
Check-Patch.bat
CM-recover.com
CM-Recover.com
funny.scr
Funny.scr
Hengst.pif
Liebe.com
little-scr.scr
love.com
Mausi.scr
nacked.com
NackiDei.com
Odin_Worm.exe
perversion.scr
Perversionen.scr
pic.scr
playme.exe
potency.pif
Privat.exe
private.exe
removal-tool.exe
Removal-Tool.exe
robot_mail.scr
robot_mailer.pif
RobotMailer.com
schnitzel.exe
screen_doc.scr
Screen_Doku.scr
security.pif
W32/Sober-A copies itself to the Windows system folder choosing from the
following names:
similare.exe
systemchk.exe
systemini.exe
and adds the filename to the following registry entry so that the worm runs when
you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sober-A creates the following file underneath the Windows system folder:
Macromed\Help\Media.dll
This file contains email addresses collected from the system. It is not malicious
and can be deleted.
Recovery
Please follow the instructions for removing worms.
Delete the file Macromed\Help\Media.dll if it exists.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entry. The
removal of this entry is optional in Windows 95/98/Me. Please read the warning
about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry
editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu,
click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your
registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
