W32.Sober.O@mm/Sober.P in Security

W32.Sober.O@mm/Sober.P in Security http://www.dslreports.com/forum/r13312109 en Fri, 27 Nov 2009 07:07:43 EDT Fri, 27 Nov 2009 07:07:43 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13380444 alien8 : This weekly virus graph from my isp shows the pattern nicely:
»portal.plus.net/support/features···ly.shtml

You can see sober.p suddenly stopping!

Cheers,

Steve
--
Tired of spam? Grab www.spampal.org]]> http://www.dslreports.com/forum/remark,13380444 Wed, 11 May 2005 02:19:47 EDT Shouw - Not only interesting but relevant! http://www.dslreports.com/forum/remark,13378576 EGeezer : Thanks shouw, the information is very much interesting .

This series looks much better planned and the execution reflects the effort of a profit making venture. Corporate patch management should be so effective at rolling out code. ]]> http://www.dslreports.com/forum/remark,13378576 Tue, 10 May 2005 21:33:09 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13377186 Schouw : No intention to spam here, but you might find this interesting.

It mentions - albeit briefly - why you aren't seeing any Sober mails at this moment.
--
Not speaking for Kaspersky Lab]]> http://www.dslreports.com/forum/remark,13377186 Tue, 10 May 2005 18:42:52 EDT Re: Cattleprod.WIN32.A http://www.dslreports.com/forum/remark,13376919 kpatz : According to F-Secure's statistics page for Sober.P, submissions have dropped off dramatically today compared to yesterday. Netsky.P and Lovgate.W are now ahead of Sober.P on their top 10. Does it have a hard coded drop dead date? There's no mention in any of the write-ups. Has anyone been hit today, or seen a drop off in hits?
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13376919 Tue, 10 May 2005 18:07:08 EDT Cattleprod.WIN32.A http://www.dslreports.com/forum/remark,13374038 EGeezer : maybe the cattleprod worm could solve a lot of the problems;

CATTLEPROD.WIN32.A
Platforms: Win 95, Win 98, Win ME, Win NT, Win 2K, Win XP

Aliases; Dingzap.MM, emptybelfry.WIN32@.b, LIGHTMEUP.KB.MM, mousefun.WIN32.zap, slimtorture.A

Arrival Form: Email
Type: Win32, Worm, Trojan
Damage: None, provides user training and negative reinforcement

The arriving email will have the following characteristics:
Subject: The subject of this mail will be one of the following:

*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
[random text string]
Email Account Suspension
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons

Attached File: The attached file will have one of the following names:
[random text string]
document_full
email-doc
email-info
email-text
IMPORTANT
information
info-text
your_details

followed by one of the following extensions:
bat
cmd
exe
pif
scr
zip

Malicious Activity
--------------------------
When the worm is executed it does the following:

Causes keyboard and mouse to be energized with cattle prod voltage.

Screen saver activates with "What the hell were you THINKING when you opened that???

Volume control locked to maximum, loops on "Slim Whitman sings Queen's Greatest Hits"

]]> http://www.dslreports.com/forum/remark,13374038 Tue, 10 May 2005 12:05:16 EDT Re: Sober / Mytob writeup - Aladdin http://www.dslreports.com/forum/remark,13373606 kpatz : Many of these worms are similar enough in behavior that it's easy to get them mixed up. With the similarity in most of the emails, I'm surprised people still open them. ;) Well maybe I shouldn't be surprised...

I see a worm email, 99% of the time I *know* it's a worm, and usually which worm it is without even scanning the attachment. Especially if it's one I've seen before. I can recognize the latest Sober just by the subject line.

My inboxes have been quiet the past few days too. But then I've only seen a half dozen or so, not like some people who have been hammered with dozens or hundreds of copies.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13373606 Tue, 10 May 2005 11:00:23 EDT Re: Sober / Mytob writeup - Aladdin http://www.dslreports.com/forum/remark,13373377 EGeezer : I've seen them used interchangeably last few days. Gah, the mess this stuf makes.

Here's why I posted here instead of a new thread - DiskDrive

also noted the multi-nomenclature (new word :D )

»New Sober Variant???

Maybe I should put in a new topic?

EDIT - Noticed this morning, NO new SOBERS showed up at all - I had been as many as 20 a day, all scrubbed by RoadRunner. *waits for the next round* ]]> http://www.dslreports.com/forum/remark,13373377 Tue, 10 May 2005 10:26:07 EDT Re: Sober / Mytob writeup - Aladdin http://www.dslreports.com/forum/remark,13373220 kpatz : EGeezer, that is a writeup for a Mytob variant, not Sober. Different worm, different name, different email texts, same annoyances. ;)
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13373220 Tue, 10 May 2005 10:02:27 EDT Sober / Mytob writeup - Aladdin http://www.dslreports.com/forum/remark,13373171 EGeezer : I wish they could make up their mind. Call it something, stick to it - From Aladdin Systems, who usually do good writeups when they do them ;

said by Aladdin newsletter:
====================================================
Aladdin Content Security Response Team - Virus Alert
====================================================

Win32.Mytob.eg
===========================

Virus/Vandal name: Win32.Mytob.eg
Threat Level: Medium
Alias: WORM_MYTOB.EG, Net-Worm.Win32.Mytob.au, W32/Mytob-AU
Platforms: Win 95, Win 98, Win ME, Win NT, Win 2K, Win XP
Updated on: May 10, 2005
Arrival Form: Email
Type: Win32, Worm, Trojan
Damage: Create files, Modify files, Send Email, Remote control, Lowers
security

Introduction
---------------------
Win32.Mytob.eg is a mass-mailing worm which opens a backdoor on infected
systems and terminates security-related processes.

The arriving email will have the following characteristics:

Subject: The subject of this mail will be one of the following:

*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
[random text string]
Email Account Suspension
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons

Body: The body of this mail will be one of the following:

[random text string]

Account Information Are Attached!

Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.

please look at attached document.

To safeguard your email account from possible termination, please see the
attached file.

To unblock your email account acces, please see the attachement.

We have suspended some of your email services, to resolve the problem you
should read the attached document.

Attached File: The attached file will have one of the following names:

[random text string]
document_full
email-doc
email-info
email-text
IMPORTANT
information
info-text
your_details

followed by one of the following extensions:

bat
cmd
exe
pif
scr
zip

Malicious Activity
--------------------------
When the worm is executed it does the following:

1. It drops a copy of itself, internet.exe, into the default Windows
System folder.

2. To run on every startup, the worm creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Internet Services = 'internet.exe'

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Internet Services = 'internet.exe'

3. When it runs on an up-to-date version of Windows XP, the worm will
disable the firewall by modifying the following registry entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess
Start = '4'

4. The worm is also capable of connecting to an IRC server and listening
to incoming commands coming from a specific channel. This may allow a
hacker to take over the infected system.

5. The worm then terminates several security-related processes and also
blocks access to such websites to prevent security updates.

6. Finally, the worm will harvest email addresses from the infected system
and send itself to most contacts found. Some addresses may be avoided by
the worm.

eSafe Users
---------------------
eSafe users are protected against this vandal using the latest
vandal/virus update.

[rant]
Given the hokey email subject lines and attachment names and how often they're associated with malware, it's amazing people still bite on them - but they do, providing us with gainful employment, hobbyist activity and bemusement ;).
[/rant]

EG ]]> http://www.dslreports.com/forum/remark,13373171 Tue, 10 May 2005 09:53:55 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13360003 Doctor Four :

said by amysheehan

said by Chris 313

:

I'm ok. I didn't even touch the zip file.

I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean...

That's likely a fake message put there by the worm itself.
If you look at other copies of similar worms lately, they
are all doing something like this, claiming that the
attachment was scanned by antivirus software and found clean.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. To RIAA/MPAA - You can sue but you can't catch everyone!]]> http://www.dslreports.com/forum/remark,13360003 Sun, 08 May 2005 15:04:19 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13359983 Doctor Four : According to UK antivirus company Sophos, the Sober.P
worm now constitutes roughly 5% of all email traffic (as
of Friday Morning), and 77% of all virus activity they
are seeing:

»news.com.com/Sober+worm+makes+a+···nefd.top
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. To RIAA/MPAA - You can sue but you can't catch everyone!]]> http://www.dslreports.com/forum/remark,13359983 Sun, 08 May 2005 15:01:09 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13350392 ravencajun : I am getting about 40-60 or so a day for the past few days all to my junk mail folder on my hotmail account. None on my gmail, none on my yahoo, no other email addys are getting hit. I just have to keep deleteing the junk mail from the folder several times a day to get rid of all of them. The size is a good tale tell sign for sure.

Apparently someone is opening the things for them to be so rampant.]]> http://www.dslreports.com/forum/remark,13350392 Sat, 07 May 2005 00:54:47 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13343307 Shriyash : actually kaptz, the file is 0.05MB not kb, and so the size will be around 53kb, so i think the worm wasnt stripped of its potency.]]> http://www.dslreports.com/forum/remark,13343307 Fri, 06 May 2005 07:44:41 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13343286 kpatz :

said by amysheehan

:

I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean...

The text stating the attachment is "clean" or "no virus found" is generated by the worm itself and is meaningless. It's just another one of its social engineering tactics, to get people to "trust" the attachment.

However, I did notice that your zip file was only .05K in size, meaning it was probably stripped before it even reached your hotmail/MSN account. Perhaps it passed through an outbound scanner before it reached you.

EDIT: It says .05M so it could still contain the worm which is roughly 73K in size encoded. Nice way of measuring attachment size there, Microsoft...
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13343286 Fri, 06 May 2005 07:39:10 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13342871 Chris 313 :

said by amysheehan

said by Chris 313

:

I'm ok. I didn't even touch the zip file.

I don't know weather the file was actually clean as I dumped everything in my Junk folder after making the screenshot.

Being worried about others is where a good crash course in today's internet threats and protection and prevention comes in.

I personally got sick of seeing all the crap being mixed in with my legit mail and set up my protection to only receive from addresses i know, all else is sent to junk and i sort it out daily.]]> http://www.dslreports.com/forum/remark,13342871 Fri, 06 May 2005 03:47:36 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13342805 amysheehan :

said by Chris 313

:

I'm ok. I didn't even touch the zip file.

I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean...
Someone else I know had that kind of text in the email and the file had NOT been cleaned - they didn't open the zip but scanned it only to find it was not cleaned as MSN had 'suggested'...
More worried about others who are more worried about not deleting it as junk and opening the zip without a thought...:)]]> http://www.dslreports.com/forum/remark,13342805 Fri, 06 May 2005 03:16:03 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13342760 Chris 313 : I'm ok. I didn't even touch the zip file.]]> http://www.dslreports.com/forum/remark,13342760 Fri, 06 May 2005 02:56:51 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13342711 91439306 : I noticed that at the beginning of the week when this started here, I was finding that they had originated from the .nl domain extention. I guess it spread to Germany and then the US about the same time. Nasty, because unlike previous worms, Earthlink's Spaminator is not blocking the e-mails. It'd AV is stripping out the virus, at least here on my account. Volume is getting annoying though.
--
Take care,

Mark & Mary Ann Weiss

Hear my Kurzweil Creations at: »www.dv-clips.com/theater.htm
'»www.mwcomms.com/auctions.htm
'»www.mwcomms.com
'»www.adventuresinanimemusic.com
]]> http://www.dslreports.com/forum/remark,13342711 Fri, 06 May 2005 02:38:32 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13342613 amysheehan :

said by Chris 313

:

It looks like i got one.

Does this look it?

It was sent to my junkmail folder.

Let's hope that the Zip file was cleaned before it was downloaded...

My son got one earlier that included the zip attachment however we found it had been cleaned by RR before he ever downloaded the message...

:)]]> http://www.dslreports.com/forum/remark,13342613 Fri, 06 May 2005 02:05:41 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13342602 Chris 313 : It looks like i got one.

Does this look it?

It was sent to my junkmail folder.

]]> http://www.dslreports.com/forum/remark,13342602 Fri, 06 May 2005 02:02:49 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13340330 Greg_Z : Look at long headers kamootee. Posting the short headers will not disclose what server is actually sending this crap out to the outside world. Knology.net is where this crap is coming from.
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,13340330 Thu, 05 May 2005 20:32:04 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13340311 Greg_Z :

said by macbloghaus

:

Thank god i have amac.
One reason why i switch is all the damn virus that you have to look out for..
I have a dell laptop and won't cut it on and connect due to virus.
So good luck guys and long live mac

Sorry to say, just because a person uses Linux or MacOS does not make them anymore then a "carrier". It is the reason that no matter what OS a person uses, they should still use strict rules in not opening any unknown sender emails.
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,13340311 Thu, 05 May 2005 20:30:17 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13340157 Doctor Four : Four copies in my mom's Yahoo email, all of course went
right into her bulk mail folder.

That's the only place I've seen any of them.]]> http://www.dslreports.com/forum/remark,13340157 Thu, 05 May 2005 20:10:51 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13337207 kamootee : mail_info.zip, account_info-text.zip, error-mail_info.zip, and secu....

Admin@food4hungry.org

Itaccount_info-text.zip
Item ID 14543
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .exe
________________________________________________________________________________

postmaster@aol.com

5/5/2005 1:50:33 AM
Item Name: mail_info.zip
Item ID 14517
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .pif
________________________________________________________________________________

5/5/2005 1:34:45 AM
Item Name: account_info-text.zip
Item ID 14516
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif
_______________________________________________________________________________

postmaster@dhs.ca.gov

5/5/2005 1:19:06 AM
Item Name mail_info.zip
Item ID 14515
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .pif
_______________________________________________________________________________

register@dph.sbcounty.gov

5/4/2005 10:35:00 PM
Item Name account_info-text.zip
Item ID 14514
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif
________________________________________________________________________________

hostmaster@neucom.com

5/5/2005 9:29:05 AM
Item Name account_info-text.zip
Item ID 14542
Action Quarantined
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .exe
_______________________________________________________________________________

register@clickmarks.com

5/4/2005 8:34:03 PM
Item Name account_info-text.zip
Item ID 14513
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif

Admin@comcast.net

mail_info.zip
Item ID 14512
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .pif

info@axiom-systems.com

5/5/2005 5:59:35 AM
Item Name account_info.zip
Item ID 14518
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info.zip\Winzipped-Text_Data.txt .pif

Recipient To webmaster@mars.pl

account_info-text.zip
Item ID 14511
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif

service@imckesson.com

Item Name mail_info.zip
Item ID 14510
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .exe

dtaitt@chcs.org

5/4/2005 5:09:26 PM
Item Name our_secret.zip
Item ID 14509
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in our_secret.zip\Winzipped-Text_Data.txt .exe

hostmaster@poweronemedia.com
5/4/2005 4:53:54 PM
Item Name error-mail_info.zip
Item ID 14497
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in error-mail_info.zip\Winzipped-Text_Data.txt .exe

register@mrmib.ca.gov
5/4/2005 4:35:37 PM
Item Name error-mail_info.zip
Item ID 14495
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in error-mail_info.zip\Winzipped-Text_Data.txt .exe
___________________________________________

webmaster@molinamedical.com

5/4/2005 4:17:54 PM
Item Name error-mail_info.zip
Item ID 14494
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in error-mail_info.zip\Winzipped-Text_Data.txt .exe ]]> http://www.dslreports.com/forum/remark,13337207 Thu, 05 May 2005 14:05:50 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13337042 macbloghaus : Thank god i have amac.
One reason why i switch is all the damn virus that you have to look out for..
I have a dell laptop and won't cut it on and connect due to virus.
So good luck guys and long live mac]]> http://www.dslreports.com/forum/remark,13337042 Thu, 05 May 2005 13:42:36 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13336078 kpatz :

said by skyroket

:

I'm getting a crapload of undeliverables. It seems obvious to me that there's nothing one can do about this. Is that an accurate assumption?

About the only thing you can do is see if the original sender's IP address is in any of the bounced messages, see if it looks familiar, or matches someone you've legitimately received emails from, and notify them that they are infected.

Or you could ascertain the IP, do a whois on it, notify their ISP's abuse department and hope they do something. Don't hold your breath though, you'll turn blue and pass out. :)
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13336078 Thu, 05 May 2005 11:41:17 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13336060 skyroket : All fine and dandy, we're protected from this virus, and malicious email attachments both...but what if the virus is sending itself to other people using MY email address as the sender's address. I'm getting a crapload of undeliverables. It seems obvious to me that there's nothing one can do about this. Is that an accurate assumption?
--
These guys are cool; and by cool, I mean totally sweet.]]> http://www.dslreports.com/forum/remark,13336060 Thu, 05 May 2005 11:39:11 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13335723 norwegian : seeing as i got 17 in one hit, ill pass on the names

dixakagin(at)gundamfan(dot)com
admin(at)hotmail(dot)com
info(at)hotmail(dot)com
raym(at)eiw(dot)com.au
symondeb(at)eiw(dot)com.au
symondeb(at)eiw(dot)com.au
ifjpk(at)gay-personals(dot)com
3ddlyall(at)kalgold(dot)com.au
webmaster(at)mail.daily-horoscopes(dot)com
hostmaster(at)hotmail(dot)com
service(at)hotmail(dot)com
postmaster(at)boc(dot)com
postmaster(at)zoog02(dot)com
register(at)emerge(dot)net.au

these were all in there today
some are ones about virus scans all clear, acct details and passwords, you name it, it was there lets hope no one opens them up, or sans might go rainbow colors
]]> http://www.dslreports.com/forum/remark,13335723 Thu, 05 May 2005 10:52:03 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13335651 anon : Got five more in my email honeypot this morning.

New Subject titles are generated to try and fool the recipient. The dead give away is the file size that stays the same - they were all 73Kb. ]]> http://www.dslreports.com/forum/remark,13335651 Thu, 05 May 2005 10:41:10 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13335482 kpatz : Congratulations, pcdebb

;)

I've received a total of four so far, across 3 different email addresses. Nothing compared to some of last year's outbreaks but the most hits I've seen this year so far.

Two that came into my own domain, I was able to figure out the sender by matching the IP address in the headers to some legitimate emails that came from the same IP. So I sent them an email telling them that they were infected. It's not very often that I'm able to do that; usually when I get hit with a worm it comes from an IP that I have no record of otherwise.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13335482 Thu, 05 May 2005 10:19:04 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13335353 pcdebb : I got one! :p came from admin@yahoo.com. I was on my way out to work so I didnt bother with examining the headers.
--
babbling | mvm]]> http://www.dslreports.com/forum/remark,13335353 Thu, 05 May 2005 09:59:15 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13334715 kpatz : Gmail rejects any attachment with certain filename suffixes such as .exe, .zip, .scr, .pif, etc, regardless of if they're infected or not.

The gobbeldygook you see in the bounce is the original message with the attachment (encoded in base64 so it can be emailed), but without being interpreted as an attachment, so you see the code.

I actually figured out who was sending me the Sobers, it was a local non-profit org. I sent them an email to let them know they have an infection on their hands. :huh: Hopefully they'll act on it soon.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13334715 Thu, 05 May 2005 07:33:43 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13332489 Shriyash : i tired to send/forward 1 copy of this worm to my gmail acc.
just to see if it would.

i was surprised that it didnt. i got a "failure notice".

Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.This is a perm
 *anent error; I've given up. Sorry it didn't work out.
64.233.185.27 failed after I sent the message.
Remote host said: 552 5.7.0 Illegal Attachment
 
(*) WARNING 1 long line(s) split

as you can see, gmail it seems rejected this attachment calling it illegal.!

now , it also gave me the analysis of this atttachment, so what is all this? is that the worms code? {it goes on and on, i just got a small section of it}
is it encrypted?

]]> http://www.dslreports.com/forum/remark,13332489 Wed, 04 May 2005 21:57:47 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13331383 kpatz : Symantec has added a !enc detection (W32.Sober.O@mm!enc)in today's LiveUpdate. So now NAV will delete the entire email instead of just the attachment.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13331383 Wed, 04 May 2005 19:40:26 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13331040 Greg_Z : Sober.s goes through cookies, web history, contact list, to find places to send itself out. I have been looking at the header info on the ones that I have been getting, and they are coming out of a server at knology.net.

X-Originating-IP: [69.1.27.198]
Received: from rvvvxjm.us (user-69-1-27-198.knology.net [69.1.27.198])

I have sent a information email to people to let them know about this nasty and to not open up the attachment.
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,13331040 Wed, 04 May 2005 18:57:57 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13330871 TheJoker : First time I've ever received an infected mass mailing (at home). I had the first one yesterday, and 3 today, all to a Yahoo account.
--
TheJoker]]> http://www.dslreports.com/forum/remark,13330871 Wed, 04 May 2005 18:37:37 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13330841 skj : Got 23 more of them today.]]> http://www.dslreports.com/forum/remark,13330841 Wed, 04 May 2005 18:34:52 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13329979 cjsmith : I have been receivin these e-mails for about a week now. Luckily AVG7F have been blocking them, easy to delete from the Virus Vault. :)
---------
Viruses found in the attached files.
The file mail_info.zip: Virus identified I-Worm/Sober.P. The attachment was moved to the virus vault.
---------
--
I'm on the outside looking inside
What do I see
Much confusion, disillusion
All around me.]]> http://www.dslreports.com/forum/remark,13329979 Wed, 04 May 2005 16:48:16 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13329590 thedip : Here's a graph from Brightmail.
While the total daily worms hasn't surpassed total daily spam,
certain hours of the day it has. Our system gets an average of
30k emails a day, it has gone up quite a bit since this worm
hit.

Percents

]]> http://www.dslreports.com/forum/remark,13329590 Wed, 04 May 2005 15:58:37 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13329485 justin : maybe my spam counting stats are off but the stats for @dslr.net look like this, all that red is Sober.

]]> http://www.dslreports.com/forum/remark,13329485 Wed, 04 May 2005 15:43:00 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13329441 thedip : Yesterday was the first time ever that the % of incoming email that was worms/virii exceeded % of spam, thanks to this worm!

% of sober emails:
5/1/05 1% (21 emails)
5/2/05 8% (2,247 emails)
5/3/05 32% (12,462 emails)
5/4/05 33% (10,935 emails so far)

Brightmail Antispam has blocked all of them :)]]> http://www.dslreports.com/forum/remark,13329441 Wed, 04 May 2005 15:37:37 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13329308 kemacee : We've been hammered with some 3700+ just in our catch-all alone... All the proper accounts have gotten at least 20-50 today, and I've been hearing from friends who have gotten quite a few as well.]]> http://www.dslreports.com/forum/remark,13329308 Wed, 04 May 2005 15:19:18 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13329080 kpatz : Sober variants tend to spread well in Europe, especially Germany, since it sends messages in German to German speaking domains. Plus this latest variant is clever in its social engineering in the German emails (the soccer tickets thing), moreso than the English emails, which are the typical "your email bounced, see the attachment for details" sort of thing.

I received a 2nd one.

quote:
Account and Password Information are attached!

Visit: http: //www.lacoe.edu

*** AntiVirus: No Virus found
*** "$MY_DOMAIN" Anti-Virus
*** http: //www.$MY_DOMAIN.com

Attachment: account_info.zip

Gotta love the ones that say "No Virus Found"... like I'm going to fall for that. :D
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13329080 Wed, 04 May 2005 14:49:22 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13328994 Chizep : According to this article:

said by »news.com.com/Sober+worm+spreads+···bj=news:
Sober.P, first detected on Monday, now accounts for 77 percent of all viruses detected by Sophos's threat-monitoring stations worldwide, the British security company said on Tuesday. At the same time, Kaspersky Lab, a Russian maker of antivirus software designed to combat such threats, described the worm's spread in Western Europe as an "epidemic."

Wow. :mad:]]> http://www.dslreports.com/forum/remark,13328994 Wed, 04 May 2005 14:38:16 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13328911 Penguins : SpamAssassin seems to be hammering these pretty well, only 2 or 3 of these have actually wormed past it in the last week or so.
--
Pure magic in 2k of 6502.]]> http://www.dslreports.com/forum/remark,13328911 Wed, 04 May 2005 14:27:38 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13328883 justin : we got 800 in the last 3 days, 95% Sober, without any catch all account. It must be currently chewing up quite a bit of worldwide mail system bandwidth.]]> http://www.dslreports.com/forum/remark,13328883 Wed, 04 May 2005 14:24:46 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13328616 Phil BK : Getting hammered with this in our catchall account. It doesn't hurt anyone since it's only to scan for legit emails with the wrong address. However I am getting at least 200 of these every 5 min into that account. It seems the virus doesn't just take addresses and mail to them, it makes them up out of common addresses and sends them to the domain. So since this account grabs all the email with non existant accounts, it is getting hammered hard.
--
If at first you don't succeed...bug them till you get what you want.]]> http://www.dslreports.com/forum/remark,13328616 Wed, 04 May 2005 13:52:22 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13327329 boognish : There is 120-150 email boxes. I don't have the reports I get set up to see who is getting the viruses just who sends them.]]> http://www.dslreports.com/forum/remark,13327329 Wed, 04 May 2005 10:54:19 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13327152 kpatz : Boognish, just curious, how many addresses are on your Exchange server (ballpark)? Just wondering if this Sober tends to hit the same addresses over and over, or if it's hitting a wide swath of addresses.

My address had one email this morning, but a year ago my wife got nailed with 50+ emails of an earlier Sober variant, all from the same IP. So some Sobers, in at least some cases, can bang the same addresses over and over.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13327152 Wed, 04 May 2005 10:28:50 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13327149 BillRoland : Interesting how only a few weeks ago some were proclaiming an end to the mass spreading e-mail worm. The Norman engine on GFI MailSecurity has picked off just about 350 of these in the last 2 days. Looks like Sober.O is just proving that worms haven't become irrelevent...yet.
--
"Don't steal. The government hates competition."]]> http://www.dslreports.com/forum/remark,13327149 Wed, 04 May 2005 10:28:33 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13327127 anon : got a more than a couple of these nastys in my gmail inbox today, exact matches ! i think this worm is really spreading far and wide.]]> http://www.dslreports.com/forum/remark,13327127 Wed, 04 May 2005 10:23:28 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13326767 boognish : We are still getting hammered by this last night and this morning. Most of them look like one of these.

Registration Confirmation The attachment "account_info-text.zip" was marked for Deletion f
 *or the following reasons:
 Virus W32.Sober.O@mm was found in Winzipped-Text_Data.txt           .pif.
 
Subject of the message:  FwD: mailing error The attachment "mail_info.zip" was marked for 
 *Deletion for the following reasons:
 Virus W32.Sober.O@mm was found in Winzipped-Text_Data.txt           .pif.
 
Subject of the message:  mailing error The attachment "error-mail_info.zip" was marked for
 * Deletion for the following reasons:
 Virus W32.Sober.O@mm was found in Winzipped-Text_Data.txt           .pif.
 
The attachment "our_secret.zip" was marked for Deletion for the following reasons:
 Virus W32.Sober.O@mm was found in Winzipped-Text_Data.txt           .pif.
 

(*) WARNING 3 long line(s) split

]]> http://www.dslreports.com/forum/remark,13326767 Wed, 04 May 2005 09:13:36 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13326545 amysheehan : To reinstall Live Update see:

How to download and install the newest version of LiveUpdate [from Symantec support]
»service1.symantec.com/SUPPORT/sh···osv_lvl=

;)]]> http://www.dslreports.com/forum/remark,13326545 Wed, 04 May 2005 08:21:15 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13326498 kpatz : Tim dob, you should get the removal tool from here: »securityresponse.symantec.com/av···ool.html

You'll have to reinstall LiveUpdate afterward, since Sober.O deletes it.

Well, I had my first hit this morning. The subject on my sample is "Your email was blocked" and the attachment was named mail_info.zip.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13326498 Wed, 04 May 2005 08:08:44 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13326100 anon : Hi.
I need help the virus deled your Symantec
it deled your update Fil but how do i fix this must i Re-Istall or ..
who knows this help me plz !

]]> http://www.dslreports.com/forum/remark,13326100 Wed, 04 May 2005 04:52:18 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13326088 anon : [img/] »www.game-legion.com/W32.Sober.O@mm.JPG [img]]]> http://www.dslreports.com/forum/remark,13326088 Wed, 04 May 2005 04:45:32 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13325981 Shriyash : Spread of Sober E-Mail Worm Variant Slowing
As always, PC users urged to update their antivirus software.

»www.pcworld.com/news/article/0,a···2,00.asp]]> http://www.dslreports.com/forum/remark,13325981 Wed, 04 May 2005 03:48:59 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13325787 anon : Our campus has greater than 12,000 e-mail infecting of new Sober series, with no successful infect of computers.

NOD32 is stopping him since Monday, now by name, but as the unknown virus before update. ]]> http://www.dslreports.com/forum/remark,13325787 Wed, 04 May 2005 02:20:17 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13325781 QS : I feel so left out, I have honestly never been hit by an email worm before. And I mean never. Kinda wish i would at least get one, so my AV can stretch it's legs =P]]> http://www.dslreports.com/forum/remark,13325781 Wed, 04 May 2005 02:17:05 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13325291 compuwizz : Just to clear things up. We do have virus scanning on our e-mails. One of my professors said last year that they process about 2 million messages per day. I beleive it was when MyDoom or another virus hit campus, before the definitions were even created, there were 10 million e-mails in a 4 hour period. It literally brought the servers to a standstill and they were down for at least 3 days while they processed the backlog of mail. The campus really took a hit, so much that we do these days relies on e-mails whether it be pdf quizes or announcements.]]> http://www.dslreports.com/forum/remark,13325291 Wed, 04 May 2005 00:15:18 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13324862 Shriyash : just a couple of snaps for anyone curious ;)
:p

]]> http://www.dslreports.com/forum/remark,13324862 Tue, 03 May 2005 23:16:39 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13324744 Shriyash : over the last 2 days, i have recieved several copies of this virus in my Yahoo bulk mail folder.
they are typically 72kb to 73kb in size, they all have attachments , with names like "mail_info.zip" or "error_info.zip".

{gives me the jitters just looking at it!:hmm::huh:}:D

]]> http://www.dslreports.com/forum/remark,13324744 Tue, 03 May 2005 23:01:32 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13323999 kpatz :

said by compuwizz

:

notice the heading at the top, it hit a listserv

And why does the listserv not have (a) a virus scanner, (b) attachment blocking, or (c) a moderator to screen messages posted to the list? :p
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13323999 Tue, 03 May 2005 21:22:42 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13323875 compuwizz : Looks like my school is having fun with it

»antivirus.vt.edu/

notice the heading at the top, it hit a listserv

Sending mail and webmail is flakey at best right now.]]> http://www.dslreports.com/forum/remark,13323875 Tue, 03 May 2005 21:09:27 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13323569 skj : I have gotten about 50 of them since yesterday.]]> http://www.dslreports.com/forum/remark,13323569 Tue, 03 May 2005 20:35:37 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13323483 bskuared : I'm getting over 100 a day of a variety of these. Zone Alarm or AVG Free Cleans them all but still a major pain in the mailbox ;)
--
2b or not 2b

--

none of this really matters :)

]]> http://www.dslreports.com/forum/remark,13323483 Tue, 03 May 2005 20:22:29 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13322994 Doctor Four :

said by Chizep

:

Getting hit with it here at my job right now.

Forutnately none of the users have been stupid enough open the zip and execute the contents.

I haven't seen any copies at work yet, though there was
an unspecified warning about a new email virus sent by IT
and for all users to delete attachments from unknown
senders. I was not sure which it was until I had read
about the latest Sober variants.

None of my other email accounts have gotten hit yet.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.
To RIAA/MPAA - You can sue but you can't catch everyone!]]> http://www.dslreports.com/forum/remark,13322994 Tue, 03 May 2005 19:25:27 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13320389 wadonoel : Mine came from register@cigna.com, sent through an Italian dynamic address. It's quite rare that I receive viruses on that account so it really must be wide spread.]]> http://www.dslreports.com/forum/remark,13320389 Tue, 03 May 2005 14:06:24 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13320014 anon : Latest Subject title.

- Mailing error

:)]]> http://www.dslreports.com/forum/remark,13320014 Tue, 03 May 2005 13:11:00 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13318760 timcuth : I got two, last night. Avast! caught them and I hit the recommended Delete button. I assume I am okay.

Tim]]> http://www.dslreports.com/forum/remark,13318760 Tue, 03 May 2005 10:20:20 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13318730 anon : Recieved 6 more under a variety of Subject titles overnight.

- Registration confirmation

- Your email was blocked

- FWD: Your password

- Your password

All are in the 73 - 74kb range.]]> http://www.dslreports.com/forum/remark,13318730 Tue, 03 May 2005 10:15:34 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13318417 boognish : Wow this is a busy one. Came in this morning to work and have 1000 quarantines of it from the exchange server. We don't get that many quarantines of everything combined in a week.]]> http://www.dslreports.com/forum/remark,13318417 Tue, 03 May 2005 09:24:23 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13318145 kpatz : It amazes me that after 5 years of this people still fall for these things. Yes, it's been (nearly) 5 years since LoveLetter started this lovely trend.

So far I've missed out on this one. Unlike last year where I seemed to get hammered every time a new worm appeared.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13318145 Tue, 03 May 2005 08:26:44 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13318137 Chizep :

said by DevilFrank

:

I�m afraid this worm will be increasing in Germany today, because the message is very artful.
Many people in Germany hope they are to be the winner of an official ticket of the soccer World Cup 2006 that the FIFA will be drawing lots for.
And they will be clicking and clicking and clicking...

Yep, social engineering at its best...]]> http://www.dslreports.com/forum/remark,13318137 Tue, 03 May 2005 08:24:45 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13317324 DevilFrank : I�m afraid this worm will be increasing in Germany today, because the message is very artful.
Many people in Germany hope they are to be the winner of an official ticket of the soccer World Cup 2006 that the FIFA will be drawing lots for.
And they will be clicking and clicking and clicking...
--
Regards from Germany. Please excuse my stumbling English]]> http://www.dslreports.com/forum/remark,13317324 Tue, 03 May 2005 02:21:53 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13315786 pcdebb : all quiet here, again, i miss out on all the fun :(]]> http://www.dslreports.com/forum/remark,13315786 Mon, 02 May 2005 22:19:57 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13315764 Llama : Gotten hit 14 times today with this one. Roadrunner has actually caught all of them so far. Avast is there as a backup. Deleting/Bouncing/Blacklisting them with Mailwasher as they roll in.]]> http://www.dslreports.com/forum/remark,13315764 Mon, 02 May 2005 22:18:03 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13315669 ritzy57 : I received 28 E-mails with this virus attached. Mine all had the words, "Your Password," or "Registering Confirmation," or, "ok ok ok,,,,,here is it"
McAffee and AVG, did a great job! :)
This is the first time I have ever been hit with an E-mail virus, and,... I just got three more!
(feel like I'm standing in front of a big plate glass window, up high in a building, watching a fierce thunder and lightening storm rage outside)
--
A day without sunshine is....depressing ]]> http://www.dslreports.com/forum/remark,13315669 Mon, 02 May 2005 22:06:01 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13314118 Chizep : Trend Micro updated itself and all online clients.

Running a full scan right now on all online clients (roughly 50 boxes.)

Will have piece of mind when I don't get any e-mail notifications saying someone has been infected. :)]]> http://www.dslreports.com/forum/remark,13314118 Mon, 02 May 2005 19:05:22 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13313672 anon : Received in my email honeypot.

Keep 'em comin', boys! :D]]> http://www.dslreports.com/forum/remark,13313672 Mon, 02 May 2005 18:15:52 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13313552 RayMorris : Hmmm... Weird... Just check our mail server log and we are also starting to get hit already.

Filtered out 7 copies of this baddie... :uhh:]]> http://www.dslreports.com/forum/remark,13313552 Mon, 02 May 2005 18:00:09 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13313068 justin : I was going to post about this hours ago. I woke up to about 10 emails from this virus, then updated f-prot early (normally the updates fire off "only" once a day), and it started to block the M variant, but I'm still getting "Your Password" and "Registrating Confirmation" attached zips.. ]]> http://www.dslreports.com/forum/remark,13313068 Mon, 02 May 2005 17:03:28 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13313032 Chizep : Sweet. Updated exchange. Patiently waiting on Trend Micro...]]> http://www.dslreports.com/forum/remark,13313032 Mon, 02 May 2005 17:00:22 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312924 kpatz : LiveUpdate has been issued, NAV & SAV should detect now.

]]> http://www.dslreports.com/forum/remark,13312924 Mon, 02 May 2005 16:50:06 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312899 Chizep : Ah yeah, so basically it's Sober.S?

I guess variants O, P, & S are more or less the same.]]> http://www.dslreports.com/forum/remark,13312899 Mon, 02 May 2005 16:47:30 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312811 gdm : Trend has screen shots of what the email is and states for trend pattern 2.611.00 is needed but i don't see it posted yet.

Solution for this »www.trendmicro.com/vinfo/virusen···VSect=Sn

Latest trend pattern »www.trendmicro.com/download/pattern.asp]]> http://www.dslreports.com/forum/remark,13312811 Mon, 02 May 2005 16:38:20 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312754 Chizep : Getting hit with it here at my job right now.

Have the following in place but its not catching it:

Symantec Mail Security for Exchange v4.5.0.719 with 5/1/2005 Rev 3
Trend Micro OfficeScan Client v6.5, Engine: 7.510, Pattern File: 2.609.00

I need to investigate manually updating both pieces.

Forutnately none of the users have been stupid enough open the zip and execute the contents.]]> http://www.dslreports.com/forum/remark,13312754 Mon, 02 May 2005 16:32:12 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312265 BillRoland : Yep, GFI Mail Security's Trojan and Threat Detection engine got hammered briefly before there were updated def's for it from Norman and BitDefender. I love that module :)
--
"Don't steal. The government hates competition."]]> http://www.dslreports.com/forum/remark,13312265 Mon, 02 May 2005 15:31:07 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312144 Allnew : Code yellow from Trend.

YELLOW ALERT - WORM_SOBER.S - 02.05.2005 (Yellow Alert):

TrendLabs has received several reports regarding this new SOBER variant that is currently spreading in Germany and the United States.
This worm spreads by mass-mailing copies of itself to target recipients. Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.
Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.
TrendLabs is working to provide a more in depth analysis of this malware. Details will be posted shortly.
You may also check the following URL anytime to get T-Time information:
»www.trendmicro.com/vinfo/virusen···_SOBER.S
--
The two most common elements in the universe are Hydrogen and stupidity. Harlan Ellison (1934 - )]]> http://www.dslreports.com/forum/remark,13312144 Mon, 02 May 2005 15:16:15 EDT Re: W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312134 gdm : Trend shows this as "S" vs "O" »www.trendmicro.com/vinfo/virusen···_SOBER.S]]> http://www.dslreports.com/forum/remark,13312134 Mon, 02 May 2005 15:15:13 EDT W32.Sober.O@mm/Sober.P http://www.dslreports.com/forum/remark,13312109 kpatz : Currently a Category 3 threat per Symantec: »www.symantec.com/avcenter/venc/d···@mm.html

McAfee (W32/Sober.p@MM): »vil.nai.com/vil/content/v_133409.htm

F-Secure (RADAR Alert 2): »www.f-secure.com/v-descs/sober_p.shtml

said by Symantec Security Response:
Initial analysis indicates the worm may arrive as an email attachment named account_info-text.zip, mail_info.zip, or our_secret.zip. The zip file contains the worm executable as the file Winzipped-Text_Data.txt, with a double extension of .exe or .pif.

--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,13312109 Mon, 02 May 2005 15:10:41 EDT