Hi All, Well just thought I would report on my finding regarding the oubreak of Sober P (KAV) or Sober O my Symantec, I saw the alerts yesterday and had when I logged in this morning 7am GMT I had one zipped file in my mail client except contents had been deleted by my AV. Apparantly Nod32, Dr Web, VBA32 and antivir detected it by Heuristics from date of outbreak. KAv got in with updates early afternoon on Monday and by 10pm even AVG and avast and most of the others had scrambled to issue updates. I restored the Pif file from back up this morning Now 3rd May 7.30am GMT) and sent it to Jotti scanner adn Virus Total Scanner and was suprised to see that MKS and Fortinet and Ikurus are still not detecting this virus. Interesting stuff Jlo AntiVir Found Worm/Sober.P Avast Found Win32:Sober-N AVG Antivirus Found I-Worm/Sober.P BitDefender Found Win32.Sober.O@mm ClamAV Found Worm.Sober.P Dr.Web Found BACKDOOR.Trojan (probable variant) F-Prot Antivirus Found W32/Sober.O@mm Fortinet Found nothing Kaspersky Anti-Virus Found Email-Worm.Win32.Sober.p mks_vir Found nothing NOD32 Found Win32/Sober.O Norman Virus Control Found Sober.O@mm VBA32 Found Worm.Sober.2 (probable variant)
Hi Firecat, Cheers for your post. Please don't take it personally but the only place I will submit virus files to are to Antivirus Vendors. I guess you almost count with all the work you do with them though Cheers Jlo
Hello Jlo You must remember that the mks staff works only monday to friday 8am-16pm. In Poland we have a national holiday - our constitution was written on 3 may 1971. So we have 4 four free days! Why I do not understand authors of viruses not have also holiday? sorry... - I check the hours when the mks support works - and they work between 8.00am - 8.00pm (from monday to friday)
Well that probally explains it but personally I want my AV vendor to be at least on guard 24hrs a day. I can fully accept for low risk stuff that is submitted then of course wait until people are back to work but for a fast spreading worm like Sober I woul expect an update to be shipped by now. I logged on to my e mail at 7.30am GMT and had one of these critters arrive in my email box. Thankfully KAV just deleted it. Cheers Jlo
Such a answer is absolutely not acceptable from a antivirus vendor... But that's for sure only my oppinion... Other people getting called in at midnight to provide atleast basic information and detection to protect users. Frankly spoken, who works with this attitute in a antivirus company should consider to join the local Hare breeder association instead of selfexuses. 8^) HB.
You are correct and I am an Arcavir/MKS user, but that is ending. There has been no response from Mariusz since April 18th. I do not know what is going on but it ain't good so I think it is time to switch to DrWeb. The sober 0 worm is an outbreak and they said there would be emergency updates for these outbreaks, BS!!!!!!!!!
It was very funny to see all those AV experts jump up and running out with their cell phones yesterday evening at the EICAR gala dinner. The Trend Micro guy phoned around until his phone battery ran out of power. I took IDA and analysed it a bit in detail during the conference today, not very interesting. Strange though, that no AV description contains details such as the trigger date (27.4.2005) and the day-delay checks (6 days for email sending, 12 for updating).
Not only this, it has also a own timer interrupt for checking the presence of the own registry keys and uses exclusive lock to protect all (malicious) files from scanning once the worm runs active in the memory. And btw... the trigger date is 28th
.text:00417219 mov [ebp+var_linenumber], 2Dh .text:00417220 push 1Bh ; 27.4.2005 .text:00417222 push 4 .text:00417224 push 7D5h .text:00417229 lea eax, [ebp+var_70] .text:0041722C push eax .text:0041722D call rtcPackDate Mail delay check: .text:0040DA13 mov [ebp+var_linenumber], 1Dh .text:0040DA1A cmp global_day_difference, 5 .text:0040DA21 jnz short loc_40DA8D .text:0040DA23 mov [ebp+var_linenumber], 1Eh .text:0040DA2A mov dword ptr [ebp+var_50+4], offset dbl_42B044 .text:0040DA31 mov [ebp+var_54], 4007h .text:0040DA38 lea eax, [ebp+var_54] .text:0040DA3B push eax .text:0040DA3C lea eax, [ebp+var_34] .text:0040DA3F push eax .text:0040DA40 call rtcGetHourOfDay .text:0040DA45 mov [ebp+var_5C], 10h .text:0040DA4C mov [ebp+var_64], 8002h .text:0040DA53 lea eax, [ebp+var_34] .text:0040DA56 push eax .text:0040DA57 lea eax, [ebp+var_64] .text:0040DA5A push eax .text:0040DA5B call __vbaVarTstLt 5 days, on 5th day only after 16:00 o'clock. Updating check: .text:0040D9C0 mov [ebp+var_linenumber], 16h .text:0040D9C7 cmp global_day_difference, 0Ch .text:0040D9CE jle short loc_40D9DC .text:0040D9D0 mov [ebp+var_linenumber], 17h .text:0040D9D7 call vir_UrlUpdater
Yes, 1Bh equ 27d But still there is a "bigger than" with a ordinary JMP after date depending jumps out of this function
Remember there is MKS and Arcavir, one handled for US and one for Poland. Most troublesome to me is that the US-Arcavir folks seem to have dropped off the planet, completely stopping support of their product. Emails are going unanswered, forum posts are all but ignored. I can speculate they just haven't sold enough to make the money to support their operation, they do almost no marketing, and their web presence at best is mediocre. It is nice to hear Dr.Web detected this outbreak without an update.
Well, ArcaBit support seems fine to me.....I guess I was right when I pedicted I needed to move off ArcaVir...just a few days more and I'll be done.
Horray! MKS/Arcavir now detect sober worm with todays update. Better late than never! glad I use KAV and NOD32! Cheers Jlo
Credibility is seriously diminished for MKS/ArcaVir on the sober worm issue. It will take some time to overcome this fiasco. Outbreaks like this need to be addressed ASAP. The other AV companies were not on Holiday or had someone getting out the update. As much as I like this AV, it has been uninstalled. What has happened to the good tech support.
