Anon_1
@nodomaintransfer24.c | reply to kpatz
Re: W32.Sober.O@mm/Sober.P
got a more than a couple of these nastys in my gmail inbox today, exact matches ! i think this worm is really spreading far and wide. |
|
BillRoland
Premium
join:2001-01-21
Ocala, FL
clubs:
 ·Cox HSI
| reply to kpatz
Interesting how only a few weeks ago some were proclaiming an end to the mass spreading e-mail worm. The Norman engine on GFI MailSecurity has picked off just about 350 of these in the last 2 days. Looks like Sober.O is just proving that worms haven't become irrelevent...yet.
--
"Don't steal. The government hates competition." |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to boognish
Boognish, just curious, how many addresses are on your Exchange server (ballpark)? Just wondering if this Sober tends to hit the same addresses over and over, or if it's hitting a wide swath of addresses.
My address had one email this morning, but a year ago my wife got nailed with 50+ emails of an earlier Sober variant, all from the same IP. So some Sobers, in at least some cases, can bang the same addresses over and over.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs: | There is 120-150 email boxes. I don't have the reports I get set up to see who is getting the viruses just who sends them. |
|
Phil BK
Premium
join:2002-05-18
Miami, FL
| reply to kpatz
Getting hammered with this in our catchall account. It doesn't hurt anyone since it's only to scan for legit emails with the wrong address. However I am getting at least 200 of these every 5 min into that account. It seems the virus doesn't just take addresses and mail to them, it makes them up out of common addresses and sends them to the domain. So since this account grabs all the email with non existant accounts, it is getting hammered hard.
--
If at first you don't succeed...bug them till you get what you want. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | we got 800 in the last 3 days, 95% Sober, without any catch all account. It must be currently chewing up quite a bit of worldwide mail system bandwidth. |
|
Penguins
Have You Played Atari Today?
join:2001-12-01
Cleveland, OH | reply to Anon_1
SpamAssassin seems to be hammering these pretty well, only 2 or 3 of these have actually wormed past it in the last week or so.
--
Pure magic in 2k of 6502. |
|
Chizep
Premium
join:2002-04-07
Concord, NC
| reply to kpatz
According to this article:
said by »news.com.com/Sober+worm+spreads+···bj=news:
Sober.P, first detected on Monday, now accounts for 77 percent of all viruses detected by Sophos's threat-monitoring stations worldwide, the British security company said on Tuesday. At the same time, Kaspersky Lab, a Russian maker of antivirus software designed to combat such threats, described the worm's spread in Western Europe as an "epidemic."
Wow.  |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Sober variants tend to spread well in Europe, especially Germany, since it sends messages in German to German speaking domains. Plus this latest variant is clever in its social engineering in the German emails (the soccer tickets thing), moreso than the English emails, which are the typical "your email bounced, see the attachment for details" sort of thing.
I received a 2nd one. quote:
Account and Password Information are attached!
Visit: http: //www.lacoe.edu
*** AntiVirus: No Virus found
*** "$MY_DOMAIN" Anti-Virus
*** http: //www.$MY_DOMAIN.com
Attachment: account_info.zip
Gotta love the ones that say "No Virus Found"... like I'm going to fall for that. 
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
kemacee
join:2005-05-04 | We've been hammered with some 3700+ just in our catch-all alone... All the proper accounts have gotten at least 20-50 today, and I've been hearing from friends who have gotten quite a few as well. |
|
thedip
join:2001-02-09
Beaver Falls, PA
| reply to kpatz
Yesterday was the first time ever that the % of incoming email that was worms/virii exceeded % of spam, thanks to this worm!
% of sober emails:
5/1/05 1% (21 emails)
5/2/05 8% (2,247 emails)
5/3/05 32% (12,462 emails)
5/4/05 33% (10,935 emails so far)
Brightmail Antispam has blocked all of them  |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | maybe my spam counting stats are off but the stats for @dslr.net look like this, all that red is Sober.
 |
|
thedip
join:2001-02-09
Beaver Falls, PA
1 edit | 
Percents |
While the total daily worms hasn't surpassed total daily spam,
certain hours of the day it has. Our system gets an average of
30k emails a day, it has gone up quite a bit since this worm
hit. |
|
cjsmith
Premium
join:2000-11-03
Villa Rica, GA
1 edit | reply to kpatz
I have been receivin these e-mails for about a week now. Luckily AVG7F have been blocking them, easy to delete from the Virus Vault.
---------
Viruses found in the attached files.
The file mail_info.zip: Virus identified I-Worm/Sober.P. The attachment was moved to the virus vault.
---------
--
I'm on the outside looking inside
What do I see
Much confusion, disillusion
All around me. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA | reply to kpatz
Got 23 more of them today. |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA | reply to kpatz
First time I've ever received an infected mass mailing (at home). I had the first one yesterday, and 3 today, all to a Yahoo account.
--
TheJoker |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| reply to kpatz
Sober.s goes through cookies, web history, contact list, to find places to send itself out. I have been looking at the header info on the ones that I have been getting, and they are coming out of a server at knology.net.
X-Originating-IP: [69.1.27.198]
Received: from rvvvxjm.us (user-69-1-27-198.knology.net [69.1.27.198])
I have sent a information email to people to let them know about this nasty and to not open up the attachment.
--
One man's customer loyalty is another man's misguided arrogance. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Symantec has added a !enc detection (W32.Sober.O@mm!enc)in today's LiveUpdate. So now NAV will delete the entire email instead of just the attachment.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
1 edit | reply to kpatz
i tired to send/forward 1 copy of this worm to my gmail acc.
just to see if it would.
i was surprised that it didnt. i got a "failure notice".
Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.This is a perm
*anent error; I've given up. Sorry it didn't work out.
64.233.185.27 failed after I sent the message.
Remote host said: 552 5.7.0 Illegal Attachment
(*) WARNING 1 long line(s) split
as you can see, gmail it seems rejected this attachment calling it illegal.!
now , it also gave me the analysis of this atttachment, so what is all this? is that the worms code? {it goes on and on, i just got a small section of it}
is it encrypted? |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Gmail rejects any attachment with certain filename suffixes such as .exe, .zip, .scr, .pif, etc, regardless of if they're infected or not.
The gobbeldygook you see in the bounce is the original message with the attachment (encoded in base64 so it can be emailed), but without being interpreted as an attachment, so you see the code.
I actually figured out who was sending me the Sobers, it was a local non-profit org. I sent them an email to let them know they have an infection on their hands.  Hopefully they'll act on it soon.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
