kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | W32.Sober.O@mm/Sober.P
Currently a Category 3 threat per Symantec: »www.symantec.com/avcenter/venc/d···@mm.html
McAfee (W32/Sober.p@MM): »vil.nai.com/vil/content/v_133409.htm
F-Secure (RADAR Alert 2): »www.f-secure.com/v-descs/sober_p.shtml
said by Symantec Security Response:
Initial analysis indicates the worm may arrive as an email attachment named account_info-text.zip, mail_info.zip, or our_secret.zip. The zip file contains the worm executable as the file Winzipped-Text_Data.txt, with a double extension of .exe or .pif.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
gdm
Premium,MVM
join:2001-06-15
Mchenry, IL
clubs:
1 edit | Trend shows this as "S" vs "O" »www.trendmicro.com/vinfo/virusen···_SOBER.S |
|
Allnew
Premium,MVM
join:2003-02-01
Denmark- EU.
clubs:
| reply to kpatz
Code yellow from Trend.
YELLOW ALERT - WORM_SOBER.S - 02.05.2005 (Yellow Alert):
TrendLabs has received several reports regarding this new SOBER variant that is currently spreading in Germany and the United States.
This worm spreads by mass-mailing copies of itself to target recipients. Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.
Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.
TrendLabs is working to provide a more in depth analysis of this malware. Details will be posted shortly.
You may also check the following URL anytime to get T-Time information:
»www.trendmicro.com/vinfo/virusen···_SOBER.S
--
The two most common elements in the universe are Hydrogen and stupidity.Harlan Ellison (1934 - ) |
|
BillRoland
Premium
join:2001-01-21
Ocala, FL
clubs:
 ·Cox HSI
| reply to kpatz
Yep, GFI Mail Security's Trojan and Threat Detection engine got hammered briefly before there were updated def's for it from Norman and BitDefender. I love that module 
--
"Don't steal. The government hates competition." |
|
Chizep
Premium
join:2002-04-07
Concord, NC
| reply to kpatz
Getting hit with it here at my job right now.
Have the following in place but its not catching it:
Symantec Mail Security for Exchange v4.5.0.719 with 5/1/2005 Rev 3
Trend Micro OfficeScan Client v6.5, Engine: 7.510, Pattern File: 2.609.00
I need to investigate manually updating both pieces.
Forutnately none of the users have been stupid enough open the zip and execute the contents. |
|
gdm
Premium,MVM
join:2001-06-15
Mchenry, IL
clubs:
 ·AT&T U-Verse
 ·AT&T CallVantage
·Comcast Digital Vo..
·Comcast
| Trend has screen shots of what the email is and states for trend pattern 2.611.00 is needed but i don't see it posted yet.
Solution for this »www.trendmicro.com/vinfo/virusen···VSect=Sn
Latest trend pattern »www.trendmicro.com/download/pattern.asp |
|
Chizep
Premium
join:2002-04-07
Concord, NC | reply to kpatz
Ah yeah, so basically it's Sober.S?
I guess variants O, P, & S are more or less the same. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| LiveUpdate has been issued, NAV & SAV should detect now. |
|
Chizep
Premium
join:2002-04-07
Concord, NC | reply to kpatz
Sweet. Updated exchange. Patiently waiting on Trend Micro... |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| reply to kpatz
I was going to post about this hours ago. I woke up to about 10 emails from this virus, then updated f-prot early (normally the updates fire off "only" once a day), and it started to block the M variant, but I'm still getting "Your Password" and "Registrating Confirmation" attached zips.. |
|
RayMorris
Microsoft Certified Systems Crasher
Premium
join:2004-01-07
Philippines
clubs:  | reply to kpatz
Hmmm... Weird... Just check our mail server log and we are also starting to get hit already.
Filtered out 7 copies of this baddie...  |
|
D8e
@algx.net |  reply to kpatz
Received in my email honeypot.
Keep 'em comin', boys!  |
|
Chizep
Premium
join:2002-04-07
Concord, NC
| reply to kpatz
Trend Micro updated itself and all online clients.
Running a full scan right now on all online clients (roughly 50 boxes.)
Will have piece of mind when I don't get any e-mail notifications saying someone has been infected. |
|
ritzy57
Mouth Of The South
Premium
join:2000-08-13
Fort Mill, SC
 ·Comporium
·AT&T CallVantage
| reply to kpatz
I received 28 E-mails with this virus attached. Mine all had the words, "Your Password," or "Registering Confirmation," or, "ok ok ok,,,,,here is it"
McAffee and AVG, did a great job!
This is the first time I have ever been hit with an E-mail virus, and,... I just got three more!
(feel like I'm standing in front of a big plate glass window, up high in a building, watching a fierce thunder and lightening storm rage outside)
--
A day without sunshine is....depressing |
|
Llama
join:2000-11-25
Findlay, OH | reply to kpatz
Gotten hit 14 times today with this one. Roadrunner has actually caught all of them so far. Avast is there as a backup. Deleting/Bouncing/Blacklisting them with Mailwasher as they roll in. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: | reply to kpatz
all quiet here, again, i miss out on all the fun  |
|
DevilFrank
join:2003-07-13
·T-Com
| reply to kpatz
I´m afraid this worm will be increasing in Germany today, because the message is very artful.
Many people in Germany hope they are to be the winner of an official ticket of the soccer World Cup 2006 that the FIFA will be drawing lots for.
And they will be clicking and clicking and clicking...
--
Regards from Germany. Please excuse my stumbling English |
|
Chizep
Premium
join:2002-04-07
Concord, NC
| said by DevilFrank  :I´m afraid this worm will be increasing in Germany today, because the message is very artful. Many people in Germany hope they are to be the winner of an official ticket of the soccer World Cup 2006 that the FIFA will be drawing lots for. And they will be clicking and clicking and clicking... Yep, social engineering at its best... |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | It amazes me that after 5 years of this people still fall for these things. Yes, it's been (nearly) 5 years since LoveLetter started this lovely trend.
So far I've missed out on this one. Unlike last year where I seemed to get hammered every time a new worm appeared.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs: | reply to kpatz
Wow this is a busy one. Came in this morning to work and have 1000 quarantines of it from the exchange server. We don't get that many quarantines of everything combined in a week. |
|
