Sober.q

Discussion in 'other anti-virus software' started by IBK, May 14, 2005.

Thread Status:
Not open for further replies.
  1. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    Sober.q will be around soon. Update your scanners to detect it as soon as it spreads.

    (I read this on KAV weblog)
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    How do they know that Sober.q is coming? o_O
     
  3. Trans

    Trans Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    76
    Maybe some first incidents ?
     
  4. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    They probably monitored the "update" URL's that the previous Sober is trying to download files from. The trigger date for updating of the last Sober variant passed a few days ago, so the author probably placed the new variant.

    We detect it as Sober.Gen.
     
  5. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    The new Sober started to send out spam (some rightwing crap) this night, trigger date was 11th of May, 4 days later is the date to start spamming. The first spam mails arrived at midnight.
    12 days after the trigger date it is supposed to download updates.

    So this is not an email worm, it's a trojan spammer. It doesn't have code to send attachments.
     
  6. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks for the heads up!

    Not many Av's have updated yet for it?

    As you said KAV has the update and F-secure updated yesterday but Symantec, Trend, AVG and Avast no sign of update yet. Had a look at VirusTotal and cant see any samples submitted yet so it will be interesting to see how quickly and if this spreads.

    Cheers

    Jlo
     
  7. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    It was uploaded at Jotti and VirusTotal, so all antivirus companies should have a sample by now.

    As it is only a trojan, it doesn't self-replicate/email. So there is no danger except the spam it sends.
     
Thread Status:
Not open for further replies.