Panda Software reports the appearance of the Sober.A worm - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, October 27, 2003 - PandaLabs has detected a new worm called Sober.A (W32/Sober.A.worm), and has begun to receive reports of incidents. This new malicious code is designed to spread rapidly via e-mail. Sober.A reaches victims' computers in an e-mail with variable subjects, text and attachment names (in English or German). One possible combination is: Subject: A worm is on your computer! Message text: I permanently get Spam-Mails from you and inside is a virus!! You should remove these thing. Read the document, before another or my mailbox explode! Yours sincerely. Attachment: anti_virusdoc.pif A full list of options is available at Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=4 1441. If the attached file containing Sober.A is run, a false error message is displayed. At the same time, the worm sends itself to all the addresses it finds in a number of files on the computer, using its own SMTP engine. It stores all the addresses it finds in the file %sysdir%\MACROMED\HELP\MEDIA.DLL. One of the main dangers of Sober.A is that it leaves two resident copies of itself running continually. If a user terminates one of the processes, or deletes one of these copies, the other will start it up or create it again. Due to the incidents received and the possibility of an increase in the number of infections, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions if they haven't already done so. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate Sober.A. Those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com/. Users can also scan their computers using the free, online antivirus, Panda ActiveScan, which is available on the company's website at http://www.pandasoftware.com. Detailed information about Sober.A and other malicious code is available from Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/. NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. --

Thanks, Dave! Network Associates (McAfee) caught it too: http://vil.nai.com/vil/content/v_100778.htm Solarian

your wellcome!

Today's roundup of virus alerts: W32/Sober-A - An e-mail virus that spreads using a variety of message subject lines and attachment names. The virus seems more like an annoyance than anything that causes permanent damage. (Sophos) Lohack.C - A virus that activates when the infected message is displayed in Outlook's preview pane. One attribute of the virus is that it moves the cursor around the screen of the infected machine. (Panda Software) Flop.A - This virus spreads via floppy disks and displays a message in Spanish on the infected machine. (Panda Software) Sexer.A - Another e-mail worm that spreads via a message filled with Cyrillic characters and with an attachment called "WIN2DRV.EXE". The virus sends itself out to everyone in the Outlook address book and changes the Windows background to one filled with Cyrillic characters. (Panda Software) Vix.A - This worm spreads via peer-to-peer files and infected PE files, rendering them useless. (Panda Software) W32/Agobot-AC - Another variant of the Agobot family of worms. This one drops a backdoor program that accepts commands via IRC on the infected machine. (Sophos) W32/Randex-Q - Like Agobot, this worm also drops a backdoor application that uses IRC to receive commands. Randex-Q spreads via poorly secured network shares. (Sophos) VBS/Flea-A - Great name for a virus. This one spreads via an HTML-based e-mail signature that contains JavaScript. It adds the infected signature to every e-mail sent by the infected machine. (Sophos) **********