C-Note-06-006: Sober.AG Activity Alert (11/22/2005)
This memory-resident worm propagates by attaching a copy of itself to an email message,
which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
Since it's email propagation does not require any user intervention, the user is often unaware that
this worm is sending out email messages.
The email it sends out has the following details:
Subject: (any of the following)
hi,_ive_a_new_mail_address
Mail delivery failed
Registration Confirmation
Your Password
Your IP was logged
Paris_Hilton_Nicole Richie
You visit illegal websites
CIAC would like to thank US-CERT for this information.
Please visit US-CERT's web site for further information:
http://www.us-cert.gov/current/current_activity.html