I keep getting blocked emails returned to me from people that are not even in my address book that contain this virus. How can that be?

Posted by: di at May 4, 2005 10:42 PM

me too. same case

Posted by: taotao at May 4, 2005 11:15 PM

Well, there is chance that you actually have the virus.

Or more likely is that someone that does have you in your address book (or inbox messages or anywhere it finds addresses) has the virus and it is sending it out as people from that list (including you apparently).

Then when it doesn't get delivered to its final destination, the mailserver on that end sees that "you" sent it (you didn't, but the flaw in SMTP allows "faked" headers so that it looks like you sent it), and therefore it bounces it back to you and tells you why it doesn't like it.

As an example:
UserA has nobody at all in their address book and no mail at all in their email client - a new setup - but they have told all of their friends the new address.

UserB is a friend and knows the address, so puts UserA's address into their address book. UserB gets infected with the virus, which then goes through the address book and sees a list of addresses - two of which are UserA, and UserC. UserB knows UserA and UserC, but UserA and UserC do not know each other. The virus sends a message to UserC, from UserA, but it originates out of UserB's infected machine.

But UserC has a good antivirus installed and it blocks the email, sees that it is from UserA, and so it bounces it back to UserA - who didn't really send it in the first place and has no clue at all who UserC is.

Posted by: Eric at May 5, 2005 12:13 AM

This is a really weird virus. I opened up my hotmail the other day and there were 83 junk mail messages,and just about all of them contained WORM_SOBER.S. The funny thing was where they were coming from. They were from places like caringbah@batteryworld.com.au, which is like some battery shop in Australia. And another one @asx.com.au, which is the australian stock exchange. I haven't even opened the virus (hotmail won't let me).

Posted by: -marzzbar- at May 5, 2005 06:22 AM

In the last couple of days I've had over 25 of these emails. All of them have been sent to my junk box. Some of them have been from hostmaster@yahoo.co service&aol.com The subject heading is "mailing error" or "your email was blocked". Like the above, Hotmail aren't letting me open them.

Posted by: Hilary at May 5, 2005 08:53 AM

Yes, from what I can tell at least in America and Europe, this is by far the most prevalent malware going around right now. Which clearly shows that it "works" to some degree - it is fooling people to open and run the virus, which then infects them and causes these issues.

Also note that with faster computers being more prevalent in homes now, and more importantly faster network connections at home, this sort of thing is actually made worse because there are fewer hardware limits on the spread of the virus now.

Just be glad you aren't running a network mailserver. I work at a small company and we are still seeing about 1000 of these a day.

Posted by: Eric at May 5, 2005 08:59 AM

I have also notice a lot of email's being sent to my organization.

I am running Trend Micro's SBM suite. has anyone here created an E-filter rules for this virus? I have created a few keywords (from Trend Micro's detail of the virus) but I am still getting a lot of emails to a select few mail boxes.

Posted by: Kam at May 5, 2005 01:07 PM

This one is crazy - spouse started getting it on Monday and now had 39 in his junk hotmail all size 73K so someone he knows is sending it and doesn't know it but hard to know who - he doesn't get 39 junk hotmail in a month normally - I might have had only one in a junk hotmail just from the size - I scanned his puter (and mine too) Tuesday with trend free scan and his came up clean so at least that is a plus.

Posted by: jules at May 5, 2005 01:09 PM

Here the same
I found for a couple of days a lot (+/- 30) emails containing the WORM_SOBER.S Virus.
All the emails are from one size 73 Kb.
The sender is register@giganews.com, hostmaster@giganews, ..@giganews.com with subject : Your password.
Can anybody help me to stop this emails.

Posted by: Columbus at May 5, 2005 02:35 PM

i get about 35 each day but they all go straight to my Junk Email in Hotmail. i cant open the attachment anyway because hotmail blocks them. i have noticed hotmail is a very safe place now...

Posted by: Jamesbarwyparry at May 5, 2005 02:47 PM

Columbus - what email program are you using? We need to know that in order to know what (if any) filtering abilities it has. Then you have to filter out the emails based on some common characteristic they share - in the above examples it looks like emails coming from giganews could be filtered out if you don't normally ever get email from them.

Posted by: Eric at May 6, 2005 09:05 AM

I know what you mean! It seems like my computer must be busy all night, mailing people that I don't even know! When I wake up and check my mail, I have a bunch of returned messages that I never even sent! I have trying like CRAZY to get rid of this problem. I've pretty much given up. I don't know what else to do! Any suggestions?

Posted by: Pam at May 6, 2005 10:10 AM

Pam, you may or may not be infected (definitely try to run a scan on your system - even the free scan at TrendMicro's HouseCall).

The issue could very well be due to people who do have your email address in their inbox, saved folders, or address box were infected with it and the virus is sending out from their machine. It is sending out as various addresses and occasionally it comes up with yours - it might be multiple people infected doing it.

Even though you aren't necessarily sending them out, it gets bounced back to you by servers.

There isn't much you can do other than make sure you aren't actually infected, and then perhaps setup a filter based on the messages you are seeing coming in and either filter them to another folder, or directly to the trash.

If you are actually infected, follow the removal instructions on any anti-virus site - here is TrendMicro's data about the virus. They have a tab link on there which details how to remove it.
But do note that it is entirely feasible that you don't have it and at least one person you know does.

If you do have it, it is wise to fix it immediately - otherwise you are going to anger a lot of people as your machine continually sends out the messages.

Posted by: Eric at May 6, 2005 11:54 AM

i have WORM_SOBER.S Virus in mij mail box
http://www.bramv.nl/pic/hotmail.JPG
and
http://www.bramv.nl/pic/hotmail1.JPG

Posted by: Bram at May 7, 2005 07:23 PM

Hey, if this is any help..
I turned on full header information, and then used nslookup to trace some of the dns names..they all come to:
***-***-***-***.jetstream.xtra.co.nz
If anyone else knows how do to this, please try it and see if you get the same result. It's quite strange, i agree

Posted by: CF at May 8, 2005 05:26 AM

Symantec has a removal tool for the Sober virus. I get about 80 emails a day. Containing subjects as: Your password, Registration Confirmation, Mail Error etc.
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html

Posted by: Rebecca at May 8, 2005 03:28 PM

Well, I have a Mac and it's on my machine too. I use MicroSoft Entourage that gets my emails from my Hotmail account. So far I haven't been able to find anything that can get rid of it from my machine. I use Virus Barrier X and it hasn't been able to find it or eradicate it but I know it's there because I get multiple emails saying various things like:

"Your password", "Your email was blocked" etc etc etc...

I know I haven't emailed any of these people/businesses etc. Will go through these posts and see if there is a link that deals with Mac stuff.

Posted by: LowmanX at May 9, 2005 05:17 AM

LowmanX - just because you are getting the emails, does not mean that you have the virus. This is not a Macro virus, it is an executable, meaning that if you are on a Mac you should be safe (I haven't checked, but it might be feasible that it could run in under Virtual PC on your Mac - but that would require more than just getting it in an email - you would have to get it into your Virtual PC environment).

As for stopping the emails from coming in - it is exactly as if you wanted to stop the email coming from anyone else - there is someone sending you something and you essentially can't stop it. You *can* filter it out though - so look for commonalities in the emails and filter based on that.

If you are getting many of them, then someone who had your email address in their system (inbox, address book, etc) does have it - so it is worthwhile notifying all of your friends/relatives/business associates who would have that address and letting them know to look out for it and what to do to remove it (see the comment in this thread about the removal tool).

Posted by: Eric at May 9, 2005 08:47 AM

Hi,

I have about 50 such attachments in my junk email. I'm IT so I'm smart enough not to open them, do you want a sample to see what it is?

PLMK

Jkutkowski@gmail.com

Thanks,

J.

Dell Service Tech

Posted by: J. Kutkowski at May 9, 2005 04:14 PM

How do I stop these from coming to my hotmail and yahoo account? Any way to block them? I have the junk mail being deleted automatically but I hate to do that - then if someone isn't in your address book, you don't get their emails!

Posted by: Libbe at May 10, 2005 09:40 AM

You can't prevent them from coming to you - unless you can figure out whoever it is sending them to you and contact them and get them to remove the virus from their machine.

One tip is that whatever the "From" address is on the email,it is unlikely that it is that person who is sending it to you.

If you can get all of the headers and find the network it is coming from, it might help you narrow it down to someone you know and then you can alert them.

Since you can't stop them from coming to you, your only other option is to filter them out. Since the emails might be coming from an address which you would otherwise want to keep, you shouldn't filter out based on the email address.

So you need to find a filter criteria which all of the messages have that you can then match on and filter that out.

Posted by: Eric at May 10, 2005 10:51 AM