alien8
join:2004-03-03
UK
| reply to kpatz
Re: W32.Sober.O@mm/Sober.P
This weekly virus graph from my isp shows the pattern nicely:
»portal.plus.net/support/features···ly.shtml
You can see sober.p suddenly stopping!
Cheers,
Steve
--
Tired of spam? Grab www.spampal.org |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | reply to Schouw
Shouw - Not only interesting but relevant!
Thanks shouw, the information is very much interesting .
This series looks much better planned and the execution reflects the effort of a profit making venture. Corporate patch management should be so effective at rolling out code. |
|
Schouw
Premium
join:2003-05-29
Netherlands
| reply to kpatz
Re: W32.Sober.O@mm/Sober.P
No intention to spam here, but you might find this interesting.
It mentions - albeit briefly - why you aren't seeing any Sober mails at this moment.
--
Not speaking for Kaspersky Lab |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | reply to EGeezer
Re: Cattleprod.WIN32.A
According to F-Secure's statistics page for Sober.P, submissions have dropped off dramatically today compared to yesterday. Netsky.P and Lovgate.W are now ahead of Sober.P on their top 10. Does it have a hard coded drop dead date? There's no mention in any of the write-ups. Has anyone been hit today, or seen a drop off in hits?
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
|  reply to kpatz
maybe the cattleprod worm could solve a lot of the problems;
CATTLEPROD.WIN32.A
Platforms: Win 95, Win 98, Win ME, Win NT, Win 2K, Win XP
Aliases; Dingzap.MM, emptybelfry.WIN32@.b, LIGHTMEUP.KB.MM, mousefun.WIN32.zap, slimtorture.A
Arrival Form: Email
Type: Win32, Worm, Trojan
Damage: None, provides user training and negative reinforcement
The arriving email will have the following characteristics:
Subject: The subject of this mail will be one of the following:
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
[random text string]
Email Account Suspension
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Attached File: The attached file will have one of the following names:
[random text string]
document_full
email-doc
email-info
email-text
IMPORTANT
information
info-text
your_details
followed by one of the following extensions:
bat
cmd
exe
pif
scr
zip
Malicious Activity
--------------------------
When the worm is executed it does the following:
Causes keyboard and mouse to be energized with cattle prod voltage.
Screen saver activates with "What the hell were you THINKING when you opened that???
Volume control locked to maximum, loops on "Slim Whitman sings Queen's Greatest Hits"
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | reply to EGeezer
Re: Sober / Mytob writeup - Aladdin
Many of these worms are similar enough in behavior that it's easy to get them mixed up. With the similarity in most of the emails, I'm surprised people still open them.  Well maybe I shouldn't be surprised...
I see a worm email, 99% of the time I *know* it's a worm, and usually which worm it is without even scanning the attachment. Especially if it's one I've seen before. I can recognize the latest Sober just by the subject line.
My inboxes have been quiet the past few days too. But then I've only seen a half dozen or so, not like some people who have been hammered with dozens or hundreds of copies.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to kpatz
I've seen them used interchangeably last few days. Gah, the mess this stuf makes.
Here's why I posted here instead of a new thread - DiskDrive  also noted the multi-nomenclature (new word  )
»New Sober Variant???
Maybe I should put in a new topic?
EDIT - Noticed this morning, NO new SOBERS showed up at all - I had been as many as 20 a day, all scrubbed by RoadRunner. *waits for the next round* |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to EGeezer
EGeezer, that is a writeup for a Mytob variant, not Sober. Different worm, different name, different email texts, same annoyances.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to kpatz
I wish they could make up their mind. Call it something, stick to it - From Aladdin Systems, who usually do good writeups when they do them ;
said by Aladdin newsletter:
====================================================
Aladdin Content Security Response Team - Virus Alert
====================================================
Win32.Mytob.eg
===========================
Virus/Vandal name: Win32.Mytob.eg
Threat Level: Medium
Alias: WORM_MYTOB.EG, Net-Worm.Win32.Mytob.au, W32/Mytob-AU
Platforms: Win 95, Win 98, Win ME, Win NT, Win 2K, Win XP
Updated on: May 10, 2005
Arrival Form: Email
Type: Win32, Worm, Trojan
Damage: Create files, Modify files, Send Email, Remote control, Lowers
security
Introduction
---------------------
Win32.Mytob.eg is a mass-mailing worm which opens a backdoor on infected
systems and terminates security-related processes.
The arriving email will have the following characteristics:
Subject: The subject of this mail will be one of the following:
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
[random text string]
Email Account Suspension
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Body: The body of this mail will be one of the following:
[random text string]
Account Information Are Attached!
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
please look at attached document.
To safeguard your email account from possible termination, please see the
attached file.
To unblock your email account acces, please see the attachement.
We have suspended some of your email services, to resolve the problem you
should read the attached document.
Attached File: The attached file will have one of the following names:
[random text string]
document_full
email-doc
email-info
email-text
IMPORTANT
information
info-text
your_details
followed by one of the following extensions:
bat
cmd
exe
pif
scr
zip
Malicious Activity
--------------------------
When the worm is executed it does the following:
1. It drops a copy of itself, internet.exe, into the default Windows
System folder.
2. To run on every startup, the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Internet Services = 'internet.exe'
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Internet Services = 'internet.exe'
3. When it runs on an up-to-date version of Windows XP, the worm will
disable the firewall by modifying the following registry entry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess
Start = '4'
4. The worm is also capable of connecting to an IRC server and listening
to incoming commands coming from a specific channel. This may allow a
hacker to take over the infected system.
5. The worm then terminates several security-related processes and also
blocks access to such websites to prevent security updates.
6. Finally, the worm will harvest email addresses from the infected system
and send itself to most contacts found. Some addresses may be avoided by
the worm.
eSafe Users
---------------------
eSafe users are protected against this vandal using the latest
vandal/virus update.
[rant]
Given the hokey email subject lines and attachment names and how often they're associated with malware, it's amazing people still bite on them - but they do, providing us with gainful employment, hobbyist activity and bemusement .
[/rant]
EG |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to amysheehan
Re: W32.Sober.O@mm/Sober.P
said by amysheehan :said by Chris 313 :I'm ok. I didn't even touch the zip file. I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean... That's likely a fake message put there by the worm itself.
If you look at other copies of similar worms lately, they
are all doing something like this, claiming that the
attachment was scanned by antivirus software and found clean.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.To RIAA/MPAA - You can sue but you can't catch everyone! |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to kpatz
According to UK antivirus company Sophos, the Sober.P
worm now constitutes roughly 5% of all email traffic (as
of Friday Morning), and 77% of all virus activity they
are seeing:
»news.com.com/Sober+worm+makes+a+···nefd.top
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.To RIAA/MPAA - You can sue but you can't catch everyone! |
|
ravencajun
Premium
join:2004-08-12
Houston, TX
| reply to kpatz
I am getting about 40-60 or so a day for the past few days all to my junk mail folder on my hotmail account. None on my gmail, none on my yahoo, no other email addys are getting hit. I just have to keep deleteing the junk mail from the folder several times a day to get rid of all of them. The size is a good tale tell sign for sure.
Apparently someone is opening the things for them to be so rampant. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA | reply to kpatz
actually kaptz, the file is 0.05MB not kb, and so the size will be around 53kb, so i think the worm wasnt stripped of its potency. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | reply to amysheehan
said by amysheehan :I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean... The text stating the attachment is "clean" or "no virus found" is generated by the worm itself and is meaningless. It's just another one of its social engineering tactics, to get people to "trust" the attachment.
However, I did notice that your zip file was only .05K in size, meaning it was probably stripped before it even reached your hotmail/MSN account. Perhaps it passed through an outbound scanner before it reached you.
EDIT: It says .05M so it could still contain the worm which is roughly 73K in size encoded. Nice way of measuring attachment size there, Microsoft...
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
Chris 313
Come get some
Premium
join:2004-07-18
Houma, LA
clubs:
·Comcast
·Comcast
·Charter Pipeline
·Comcast Digital Vo..
·AT&T CallVantage
| reply to amysheehan
said by amysheehan :said by Chris 313 :I'm ok. I didn't even touch the zip file. I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean... Someone else I know had that kind of text in the email and the file had NOT been cleaned - they didn't open the zip but scanned it only to find it was not cleaned as MSN had 'suggested'... More worried about others who are more worried about not deleting it as junk and opening the zip without a thought...:) I don't know weather the file was actually clean as I dumped everything in my Junk folder after making the screenshot.
Being worried about others is where a good crash course in today's internet threats and protection and prevention comes in.
I personally got sick of seeing all the crap being mixed in with my legit mail and set up my protection to only receive from addresses i know, all else is sent to junk and i sort it out daily. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to Chris 313
said by Chris 313 :I'm ok. I didn't even touch the zip file. I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean...
Someone else I know had that kind of text in the email and the file had NOT been cleaned - they didn't open the zip but scanned it only to find it was not cleaned as MSN had 'suggested'...
More worried about others who are more worried about not deleting it as junk and opening the zip without a thought...:) |
|
Chris 313
Come get some
Premium
join:2004-07-18
Houma, LA
clubs: | reply to amysheehan
I'm ok. I didn't even touch the zip file. |
|
91439306
15,000 Watts of Bass Power
join:2002-10-16
New Milford, CT
| reply to GKJUG
I noticed that at the beginning of the week when this started here, I was finding that they had originated from the .nl domain extention. I guess it spread to Germany and then the US about the same time. Nasty, because unlike previous worms, Earthlink's Spaminator is not blocking the e-mails. It'd AV is stripping out the virus, at least here on my account. Volume is getting annoying though.
--
Take care,
Mark & Mary Ann Weiss
Hear my Kurzweil Creations at: »www.dv-clips.com/theater.htm
'»www.mwcomms.com/auctions.htm
'»www.mwcomms.com
'»www.adventuresinanimemusic.com
|
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to Chris 313
said by Chris 313 :It looks like i got one. Does this look it? It was sent to my junkmail folder. Let's hope that the Zip file was cleaned before it was downloaded...
My son got one earlier that included the zip attachment however we found it had been cleaned by RR before he ever downloaded the message...
 |
|
Chris 313
Come get some
Premium
join:2004-07-18
Houma, LA
clubs:
·Comcast
·Comcast
·Charter Pipeline
·Comcast Digital Vo..
·AT&T CallVantage
| reply to Greg_Z
It looks like i got one.
Does this look it?
It was sent to my junkmail folder. |
|
