didn't found infection (sober.i)

[Yoshman]

hi everybody the second

we are running the linux version of nod32 on our webserver and one of our customers sometimes still get some viruses and is not happy about that or better he means nod missed some viruses, so i caught one of the mails and the question is, if nod really missed it or just see no danger, because the mail was in plain text and so also the code of the virus was in plain text and not as attached bat or com or exe or...!
Please see attachement --> it is the text in the mailboxfile on the linux server
Some other scanners on jotti's find a virus and some did not!?

regards and thx
steffen jeschke

NAV reports this as a bug. Will post a scan from McAfee Virus Scan 8.0i later.

[jg88swe]

Scan result:

AntiVir 6.29.0.5 12.20.2004 Worm/Sober.I.Base64A
BitDefender 7.0 12.20.2004 -
ClamAV devel-20041205 12.19.2004 Worm.Sober.I
DrWeb 4.32b 12.20.2004 Win32.HLLM.Sober
eTrust-Iris 7.1.194.0 12.19.2004 -
eTrust-Vet 11.7.0.0 12.20.2004 -
F-Prot 3.15b 12.20.2004 W32/Sober.J@mm
Kaspersky 4.0.2.24 12.20.2004 I-Worm.Sober.i
NOD32v2 1.953 12.19.2004 -
Norman 5.70.10 12.16.2004 Sober.I@mm
Panda 7.02.00 12.20.2004 -
Sybari 7.5.1314 12.20.2004 I-Worm.Sober.i
Symantec 8.0 12.20.2004 -

[Marcos]

Hello,

NOD32 detected Sober.I heuristically without needing to update. I suspect the file is corrupted, but for me to tell for sure please send it to samples@eset.com

[Yoshman]

@jg88swe - i get nearly the same results with jotti's online malware scanner, BUT the question for me is, did nod32 really missed this virus OR did it just ignore it, because the "virus code" stands as text in the mail and not as a attachment!!!

regards steffen

VS 8.0i also reports this as a bug.

[redwolfe_98]

i scanned the text file with nod32 with the latest updates, and nod32 reported that it was clean.. i scanned the file online at computer associates/etrust, and their online scanner reported that the file was clean..

kaspersky's online scan reported that the file was infected with "i-worm.sober.i"..

my understanding is that a text file cannot carry a malware-payload..

[redwolfe_98]

i scanned the file at panda, and panda said it was clean.. i scanned it at trend micro's housecall, and they detected it as sober-i.. i couldn't manage to get symantec's online scanner to run, so i couldn't scan it, there..

[balthus]

so what does this mean for us eset users?
that certain types of viruses are being passed over?

[flyrfan111]

No virus is being passed over, the example in question is a text file. Text files can not perform any malicious acts as they can not execute code, they merely display it. A text file is the same as reading something on a piece of paper, yes it may be the code for Sober, but reading it will not harm you or your computer. As Marcos pointed NOD detected Sober.I heuristically without an update so it is safe to say NOD users are safe. As the thread points out some of the scanners at Jotti's site detect it as a virus, however, I view that as a false positve personally, as it is in a text file.

Currently, it is not possible to introduce a bug via .txt files. However, some AVs may detect this as malware. When in doubt, quarantine the thing and submit it for analysis. Personally, I would delete it if I don't know the sender.

[Blackspear]

Quote:

Originally Posted by nod32_9

...I would delete it if I don't know the sender.

One of the very best ways of getting infected is by opening mail only from people you know. The following is part of a document that we send to our Nod32 customers:


Safe Practices / Viruses / Hoaxes etc

1. Viruses and Anti-virus Programs

a) Update your Nod32 anti-virus. As with ALL anti-virus programs, Nod32 can only protect you from what it knows about. New viruses are written, distributed and found daily, it is very important for you to update and check that Nod32 is being updated regularly. This is an automated function within Nod32, however, we advise that at least once a day you check and know for sure that Nod32 is actually up-to-date, just to be sure, it is a man-made program and one day it will fail, you DO NOT want to find out there was a problem with updating 3 months ago. This is just an additional security step to make it that little bit safer.

b) Use Nod32 to scan EVERY new file that you download from the internet, or that you place into your computer by disk or other means. Make a routine WEEKLY scan of your computer.

c) NO ANTI-VIRUS PROGRAM IS PERFECT, nor can it compensate for:

UNSAFE SOFTWARE PRACTICES.

No anti-virus program will ever detect all viruses all the time; viruses are being written and distributed daily.

PRACTICE SAFE COMPUTING.

Be cautious when opening files, DO NOT OPEN obvious file extensions typically used by viruses and sent by email to you, such as .pif .scr .bat

d) Have you ever heard or said, “I only ever open attachments from people I know”, well this is one of the best ways to receive a virus, the infected email more than likely has NOT been sent by your friend, their email address has been harvested by a virus and the virus is sending emails as though it is coming from your friend.

e) Never open software from "warez" sites or “peer-to-peer” programs like Kazaa until they have been scanned with a fully up-to-date Nod32.

f) Pay attention to files with multiple extensions. Generally, the last extension is the relevant one. For example, a file named song.mp3.exe is an executable program (.exe) and not an MP3 file.

Note, however, that if you are using Outlook Express and see a file with three extensions, Outlook Express may consider the second extension to be relevant, so that a file named song.mp3.exe.jpg is an executable program (.exe), it is neither an MP3 file nor a JPG file.


Cheers

Blackspear.

[Marcos]

AMON would have detected it as soon as you had saved it as an eml file, opened it in Outlook Express and saved the attachment. As I had stated before, NOD32 detected Sober.I heuristically without needing to update. As far as it stays in a text form, it's safe and cannot do any harm. If you manage to save it as a real file, AMON will spring into action.

[SteelyDon]

It seems to me that plain text of a virus' code is a virus in imagination only.

Since last week I was getting a lot of these plain text sober.i 'worms' on my Astaro Security Linux (KAV engine), before the sender IP's where blacklisted. I first try to block IP's, but then the messages would be routed over our fallback mailserver at our provider Xs4all which also scans for viruses and didn't find any infection.
The remainder are now rejected using a regular expressions that rejects all messages containing "\*-\*-\* Anti_Virus: No Virus was found" :-)

[Blackspear]

Over the last few days I have been receiving about 20 Sober.I emails per day, this is one prevalent virus at the moment.

Cheers

[Ga1tar]

Feeling a little left out here as I have not seen any yet

[Blackspear]

Quote:

Originally Posted by Ga1tar

Feeling a little left out here as I have not seen any yet

LOL, I can share if you like

[ronjor]

The pc group I belong to helps out a lot with their gateway antivirus and spam filter. Some still get manage to make it past the gates.

[Yoshman]

Many thx for all your repleys and answers AND the best of all - our customer now believes me (and U) and doesn't call me the whole day anymore

another question --> i posted a second thread about nod32 didn't scan some mails! could u help me there to?

regards
steffen

[Mikkel]

Quote:

Originally Posted by SteelyDon

It seems to me that plain text of a virus' code is a virus in imagination only.

Agree If it is in a txt file it is no danger but there could be the next virus has in it to rename this file to eks .bat

[solarpowered candle]

There are a lot of 1- Worm.Sober.i.(2x) floating around currently.
more info from another source on this http://www.antiviruslab.com/descript...208074&lang=gb

[Blackspear]

Quote:

Originally Posted by solarpowered candle

There are a lot of 1- Worm.Sober.i.(2x) floating around currently.
more info from another source on this http://www.antiviruslab.com/descript...208074&lang=gb

Or try this one:

http://www.virus-radar.com/index_enu.html

Cheers

[solarpowered candle]

lol are you currently getting lots of (1) or have the (2) s hit oz as here.

[Blackspear]

Quote:

Originally Posted by solarpowered candle

lol are you currently getting lots of (1) or have the (2) s hit oz as here.

I was getting 20 a day of "i", it has slowed in the last 12 hours though.

Cheers