Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to kpatz
Re: W32.Sober.O@mm/Sober.P
According to UK antivirus company Sophos, the Sober.P
worm now constitutes roughly 5% of all email traffic (as
of Friday Morning), and 77% of all virus activity they
are seeing:
»news.com.com/Sober+worm+makes+a+···nefd.top
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.To RIAA/MPAA - You can sue but you can't catch everyone! |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to amysheehan
said by amysheehan  :said by Chris 313 :I'm ok. I didn't even touch the zip file. I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean... That's likely a fake message put there by the worm itself.
If you look at other copies of similar worms lately, they
are all doing something like this, claiming that the
attachment was scanned by antivirus software and found clean.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.To RIAA/MPAA - You can sue but you can't catch everyone! |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to kpatz
Sober / Mytob writeup - Aladdin
I wish they could make up their mind. Call it something, stick to it - From Aladdin Systems, who usually do good writeups when they do them ;
said by Aladdin newsletter:
====================================================
Aladdin Content Security Response Team - Virus Alert
====================================================
Win32.Mytob.eg
===========================
Virus/Vandal name: Win32.Mytob.eg
Threat Level: Medium
Alias: WORM_MYTOB.EG, Net-Worm.Win32.Mytob.au, W32/Mytob-AU
Platforms: Win 95, Win 98, Win ME, Win NT, Win 2K, Win XP
Updated on: May 10, 2005
Arrival Form: Email
Type: Win32, Worm, Trojan
Damage: Create files, Modify files, Send Email, Remote control, Lowers
security
Introduction
---------------------
Win32.Mytob.eg is a mass-mailing worm which opens a backdoor on infected
systems and terminates security-related processes.
The arriving email will have the following characteristics:
Subject: The subject of this mail will be one of the following:
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
[random text string]
Email Account Suspension
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Body: The body of this mail will be one of the following:
[random text string]
Account Information Are Attached!
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
please look at attached document.
To safeguard your email account from possible termination, please see the
attached file.
To unblock your email account acces, please see the attachement.
We have suspended some of your email services, to resolve the problem you
should read the attached document.
Attached File: The attached file will have one of the following names:
[random text string]
document_full
email-doc
email-info
email-text
IMPORTANT
information
info-text
your_details
followed by one of the following extensions:
bat
cmd
exe
pif
scr
zip
Malicious Activity
--------------------------
When the worm is executed it does the following:
1. It drops a copy of itself, internet.exe, into the default Windows
System folder.
2. To run on every startup, the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Internet Services = 'internet.exe'
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Internet Services = 'internet.exe'
3. When it runs on an up-to-date version of Windows XP, the worm will
disable the firewall by modifying the following registry entry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess
Start = '4'
4. The worm is also capable of connecting to an IRC server and listening
to incoming commands coming from a specific channel. This may allow a
hacker to take over the infected system.
5. The worm then terminates several security-related processes and also
blocks access to such websites to prevent security updates.
6. Finally, the worm will harvest email addresses from the infected system
and send itself to most contacts found. Some addresses may be avoided by
the worm.
eSafe Users
---------------------
eSafe users are protected against this vandal using the latest
vandal/virus update.
[rant]
Given the hokey email subject lines and attachment names and how often they're associated with malware, it's amazing people still bite on them - but they do, providing us with gainful employment, hobbyist activity and bemusement  .
[/rant]
EG |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| EGeezer, that is a writeup for a Mytob variant, not Sober. Different worm, different name, different email texts, same annoyances.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | I've seen them used interchangeably last few days. Gah, the mess this stuf makes.
Here's why I posted here instead of a new thread - DiskDrive also noted the multi-nomenclature (new word  )
»New Sober Variant???
Maybe I should put in a new topic?
EDIT - Noticed this morning, NO new SOBERS showed up at all - I had been as many as 20 a day, all scrubbed by RoadRunner. *waits for the next round* |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | Many of these worms are similar enough in behavior that it's easy to get them mixed up. With the similarity in most of the emails, I'm surprised people still open them. Well maybe I shouldn't be surprised...
I see a worm email, 99% of the time I *know* it's a worm, and usually which worm it is without even scanning the attachment. Especially if it's one I've seen before. I can recognize the latest Sober just by the subject line.
My inboxes have been quiet the past few days too. But then I've only seen a half dozen or so, not like some people who have been hammered with dozens or hundreds of copies.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
|  Cattleprod.WIN32.A
maybe the cattleprod worm could solve a lot of the problems;
CATTLEPROD.WIN32.A
Platforms: Win 95, Win 98, Win ME, Win NT, Win 2K, Win XP
Aliases; Dingzap.MM, emptybelfry.WIN32@.b, LIGHTMEUP.KB.MM, mousefun.WIN32.zap, slimtorture.A
Arrival Form: Email
Type: Win32, Worm, Trojan
Damage: None, provides user training and negative reinforcement
The arriving email will have the following characteristics:
Subject: The subject of this mail will be one of the following:
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
[random text string]
Email Account Suspension
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Attached File: The attached file will have one of the following names:
[random text string]
document_full
email-doc
email-info
email-text
IMPORTANT
information
info-text
your_details
followed by one of the following extensions:
bat
cmd
exe
pif
scr
zip
Malicious Activity
--------------------------
When the worm is executed it does the following:
Causes keyboard and mouse to be energized with cattle prod voltage.
Screen saver activates with "What the hell were you THINKING when you opened that???
Volume control locked to maximum, loops on "Slim Whitman sings Queen's Greatest Hits"
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | According to F-Secure's statistics page for Sober.P, submissions have dropped off dramatically today compared to yesterday. Netsky.P and Lovgate.W are now ahead of Sober.P on their top 10. Does it have a hard coded drop dead date? There's no mention in any of the write-ups. Has anyone been hit today, or seen a drop off in hits?
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
Schouw
Premium
join:2003-05-29
Netherlands
| reply to kpatz
Re: W32.Sober.O@mm/Sober.P
No intention to spam here, but you might find this interesting.
It mentions - albeit briefly - why you aren't seeing any Sober mails at this moment.
--
Not speaking for Kaspersky Lab |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | Shouw - Not only interesting but relevant!
Thanks shouw, the information is very much interesting .
This series looks much better planned and the execution reflects the effort of a profit making venture. Corporate patch management should be so effective at rolling out code. |
|
alien8
join:2004-03-03
UK
| reply to kpatz
Re: W32.Sober.O@mm/Sober.P
This weekly virus graph from my isp shows the pattern nicely:
»portal.plus.net/support/features···ly.shtml
You can see sober.p suddenly stopping!
Cheers,
Steve
--
Tired of spam? Grab www.spampal.org |
|
