Sober.q

[IBK]

Sober.q will be around soon. Update your scanners to detect it as soon as it spreads.

(I read this on KAV weblog)

[Firecat]

How do they know that Sober.q is coming?

[Trans]

Quote:

Originally Posted by Firecat

How do they know that Sober.q is coming?

Maybe some first incidents ?

[Stefan Kurtzhals]

They probably monitored the "update" URL's that the previous Sober is trying to download files from. The trigger date for updating of the last Sober variant passed a few days ago, so the author probably placed the new variant.

We detect it as Sober.Gen.

[Stefan Kurtzhals]

The new Sober started to send out spam (some rightwing crap) this night, trigger date was 11th of May, 4 days later is the date to start spamming. The first spam mails arrived at midnight.
12 days after the trigger date it is supposed to download updates.

So this is not an email worm, it's a trojan spammer. It doesn't have code to send attachments.

[jlo]

Thanks for the heads up!

Not many Av's have updated yet for it?

As you said KAV has the update and F-secure updated yesterday but Symantec, Trend, AVG and Avast no sign of update yet. Had a look at VirusTotal and cant see any samples submitted yet so it will be interesting to see how quickly and if this spreads.

Cheers

Jlo

[Stefan Kurtzhals]

It was uploaded at Jotti and VirusTotal, so all antivirus companies should have a sample by now.

As it is only a trojan, it doesn't self-replicate/email. So there is no danger except the spam it sends.