Hi All, Watch out. New Sober worm about. Looking at virus Total its quite wide spread. http://www.sarc.com/avcenter/venc/data/w32.sober.o@mm.html I understand Nod32 catches this one already with AH. Good one Nod! Cheers Jlo
I have already received 3 of them this morning: Time Module Object Name Virus Action User Information 3/05/2005 7:55:36 AM EMON email message from: hostmaster @ ozemail.com.au to: E-Post @ bigpond.net.au with subject mailing error dated 05/03/2005 2:47 Attachment: mail_info.zip Win32/Sober.O worm quarantined - unable to clean - deleted BLACKSPEAR\XXXX Cheers
Yes, that's right. NOD32 v2.50.9 Beta detects it (heuristically) as "probably a variant of Win32/Sober worm".
It's in todays definitions as well. NOD32 - v.1.1086 (20050502) Virus signature database updates: IRC/Delf.A, IRC/Zapchast.B, JS/KakWorm.A, Win32/Agent.WIW, Win32/Banish.A, Win32/Bropia.V, Win32/Delf.YG, Win32/HideWindow, Win32/Kelvir.AU, Win32/Kelvir.AV, Win32/Kelvir.AW, Win32/Kelvir.AX, Win32/Kelvir.AY, Win32/Mydoom.BD, Win32/Mytob.BU, Win32/QDial.30.A, Win32/Rbot.DST, Win32/Rbot.DSU, Win32/Sharan, Win32/Sharan.C, Win32/Sober.O, Win32/TrojanDownloader.Agent, Win32/TrojanDownloader.Agent.LW, Win32/TrojanDownloader.Small.ALV, Win32/TrojanDownloader.WarSpy, Win32/TrojanDropper.Agent.NAI, Win32/Tumbi, Win32/Tumbi.AL, Win32/VB.CS, Win32/VB.CW, Win32/VB.CY, Win32/VB.PT
This worm has a very good chance to become even more spreaded - at least in german speaking countries. He claims to bring "Free Football WM tickets" - and this exactly in the time were they REALLY giving away free Football tickets for this WM! Social engineering of it's best. I would NOT BE SUPRISED if some football fanatics would even disable the antivirus when it says "Sober.O" just to get this "tickets"....