SoberP

Discussion in 'other anti-virus software' started by jlo, May 3, 2005.

Thread Status:
Not open for further replies.
  1. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi All,

    Well just thought I would report on my finding regarding the oubreak of Sober P (KAV) or Sober O my Symantec,

    I saw the alerts yesterday and had when I logged in this morning 7am GMT I had one zipped file in my mail client except contents had been deleted by my AV.

    Apparantly Nod32, Dr Web, VBA32 and antivir detected it by Heuristics from date of outbreak.

    KAv got in with updates early afternoon on Monday and by 10pm even AVG and avast and most of the others had scrambled to issue updates.

    I restored the Pif file from back up this morning Now 3rd May 7.30am GMT) and sent it to Jotti scanner adn Virus Total Scanner and was suprised to see that MKS and Fortinet and Ikurus are still not detecting this virus.



    Interesting stuff

    Jlo

    AntiVir Found Worm/Sober.P
    Avast Found Win32:Sober-N
    AVG Antivirus Found I-Worm/Sober.P
    BitDefender Found Win32.Sober.O@mm
    ClamAV Found Worm.Sober.P
    Dr.Web Found BACKDOOR.Trojan (probable variant)
    F-Prot Antivirus Found W32/Sober.O@mm
    Fortinet Found nothing
    Kaspersky Anti-Virus Found Email-Worm.Win32.Sober.p
    mks_vir Found nothing
    NOD32 Found Win32/Sober.O
    Norman Virus Control Found Sober.O@mm
    VBA32 Found Worm.Sober.2 (probable variant)
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Could it be possible to send me the sample of Sober via email? I'll give you my address via PM later :)
     
  3. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi Firecat,

    Cheers for your post. Please don't take it personally but the only place I will submit virus files to are to Antivirus Vendors.

    I guess you almost count with all the work you do with them though ;)

    Cheers

    Jlo
     
  4. mikesu

    mikesu Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    27
    Hello Jlo

    You must remember that the mks staff works only monday to friday 8am-16pm. In Poland we have a national holiday - our constitution was written on 3 may 1971. So we have 4 four free days!;)
    Why I do not understand authors of viruses not have also holiday? :rolleyes:

    sorry... - I check the hours when the mks support works - and they work between 8.00am - 8.00pm (from monday to friday)
     
    Last edited: May 3, 2005
  5. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Well that probally explains it but personally I want my AV vendor to be at least on guard 24hrs a day.

    I can fully accept for low risk stuff that is submitted then of course wait until people are back to work but for a fast spreading worm like Sober I woul expect an update to be shipped by now.

    I logged on to my e mail at 7.30am GMT and had one of these critters arrive in my email box. Thankfully KAV just deleted it.

    Cheers

    Jlo
     
  6. Happy Bytes

    Happy Bytes Guest

    Such a answer is absolutely not acceptable from a antivirus vendor... But that's for sure only my oppinion... Other people getting called in at midnight to provide atleast basic information and detection to protect users.

    Frankly spoken, who works with this attitute in a antivirus company should consider to join the local Hare breeder association instead of selfexuses.

    8^) HB.
     
  7. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    You are correct and I am an Arcavir/MKS user, but that is ending. There has been no response from Mariusz since April 18th. I do not know what is going on but it ain't good so I think it is time to switch to DrWeb.
    The sober 0 worm is an outbreak and they said there would be emergency updates for these outbreaks, BS!!!!!!!!!
     
  8. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    It was very funny to see all those AV experts jump up and running out with their cell phones yesterday evening at the EICAR gala dinner. The Trend Micro guy phoned around until his phone battery ran out of power. ;)

    I took IDA and analysed it a bit in detail during the conference today, not very interesting. Strange though, that no AV description contains details such as the trigger date (27.4.2005) and the day-delay checks (6 days for email sending, 12 for updating).
     
  9. Happy Bytes

    Happy Bytes Guest

    Not only this, it has also a own timer interrupt for checking the presence of the own registry keys and uses exclusive lock to protect all (malicious) files from scanning once the worm runs active in the memory. ;)

    And btw... the trigger date is 28th :D
     
  10. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    .text:00417219 mov [ebp+var_linenumber], 2Dh
    .text:00417220 push 1Bh ; 27.4.2005
    .text:00417222 push 4
    .text:00417224 push 7D5h
    .text:00417229 lea eax, [ebp+var_70]
    .text:0041722C push eax
    .text:0041722D call rtcPackDate

    Mail delay check:

    .text:0040DA13 mov [ebp+var_linenumber], 1Dh
    .text:0040DA1A cmp global_day_difference, 5
    .text:0040DA21 jnz short loc_40DA8D
    .text:0040DA23 mov [ebp+var_linenumber], 1Eh
    .text:0040DA2A mov dword ptr [ebp+var_50+4], offset dbl_42B044
    .text:0040DA31 mov [ebp+var_54], 4007h
    .text:0040DA38 lea eax, [ebp+var_54]
    .text:0040DA3B push eax
    .text:0040DA3C lea eax, [ebp+var_34]
    .text:0040DA3F push eax
    .text:0040DA40 call rtcGetHourOfDay
    .text:0040DA45 mov [ebp+var_5C], 10h
    .text:0040DA4C mov [ebp+var_64], 8002h
    .text:0040DA53 lea eax, [ebp+var_34]
    .text:0040DA56 push eax
    .text:0040DA57 lea eax, [ebp+var_64]
    .text:0040DA5A push eax
    .text:0040DA5B call __vbaVarTstLt

    5 days, on 5th day only after 16:00 o'clock.

    Updating check:

    .text:0040D9C0 mov [ebp+var_linenumber], 16h
    .text:0040D9C7 cmp global_day_difference, 0Ch
    .text:0040D9CE jle short loc_40D9DC
    .text:0040D9D0 mov [ebp+var_linenumber], 17h
    .text:0040D9D7 call vir_UrlUpdater
     
  11. Happy Bytes

    Happy Bytes Guest

    :D :D :D Yes, 1Bh equ 27d ;)
    But still there is a "bigger than" with a ordinary JMP after date depending jumps out of this function ;)
     
  12. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Remember there is MKS and Arcavir, one handled for US and one for Poland.

    Most troublesome to me is that the US-Arcavir folks seem to have dropped off the planet, completely stopping support of their product. Emails are going unanswered, forum posts are all but ignored. I can speculate they just haven't sold enough to make the money to support their operation, they do almost no marketing, and their web presence at best is mediocre.

    It is nice to hear Dr.Web detected this outbreak without an update.
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Well, ArcaBit support seems fine to me.....I guess I was right when I pedicted I needed to move off ArcaVir...just a few days more and I'll be done.
     
  14. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Horray!

    MKS/Arcavir now detect sober worm with todays update.

    Better late than never!

    glad I use KAV and NOD32!

    Cheers

    Jlo
     
  15. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    Credibility is seriously diminished for MKS/ArcaVir on the sober worm issue. It will take some time to overcome this fiasco.
    Outbreaks like this need to be addressed ASAP. The other AV companies were not on Holiday or had someone getting out the update.
    As much as I like this AV, it has been uninstalled.
    What has happened to the good tech support.
     
Thread Status:
Not open for further replies.