VIRUS WARNING
Virus Name: W32.Sober.G@mm

Also known as:
Win32.Sober.G
I-Worm.Sober.g
Sober.G
W32/Sober.g@MM
WORM_SOBER.G
 
Overview:

  • W32.Sober.G@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. The subject of the email varies, and it will be in either English or German. The email sender address is spoofed.

  • The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. It may also have a double extension.

  • W32.Sober.G@mm attempts to connect to a remote host on port 37/TCP, download an executable over HTTP, and execute it on the infected machine.

  • This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.


    Detailed Info: http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.g@mm.html
 
E-mail Sample:

The following is what the infected email may display in the message...
 

+-+-+ Anti-Virus: No Virus
+-+-+ BCINTERNET- AntiVirus Service
+-+-+ http://www.bcinternet.net
 

Note: This particular virus makes it look as though the Mail Server Host has sent the message. Please be aware that the message is fake. Do not open any attachments included with the email message. More information on this virus can be found at Norton's Website.
 
Removal Instructions:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.g@mm.html

Removal Tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.removal.tool.html