Preventing W32.Sober.Q

The TrendMicro link that Randy posted has a nice diagram showing how this worm works.

Note that it arrives by email. TrendMicro says under countermeasures, "Do Not Open Untrusted Email." Why do people continue to violate this rule? The current buzz phrase to explain this away is "social engineering techniques."

Once these worms are installed, they propagate rapidly via email, often using their own SMTP engine, as in the case of W32.Sober. In another thread, Devinco says that SMTP can use any arbitrary port it wants, and not just the standard port 25, and that a properly configured firewall will alert and/or block these attempts.

Note that this firewall countermeasure is not listed in the TrendMicro diagram, and I've not seen it mentioned on other sites. Why not?

All that is stated is that they are mass mailers, as if once the worm is installed, one is at the mercy of the worm.

Well, maybe Devinco is wrong. Only one way to tell - do your own test.

I happened to receive the W32.Sober.Q in an email October 5, so I read about it and decided to run it and observe what happens.

The image below shows the files that are installed, as described on the AV sites. I didn't list the Registry Entries.

Services.exe is the workhorse, initially harvesting a list of email addresses in the socket.dli file. Once this is completed, the worm attempts to connect out to time servers, and these were blocked at the firewall; so the worm essentially did not propagate.

This worm should never have achieved any status greater than the lowest threat level.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Good to see your software firewall did its job and blocked the unauthorized outbound traffic, Rich.