Virus alert!-I-Worm.Sober.i

Discussion in 'malware problems & news' started by ronjor, Nov 19, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Secunia
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec: W32.Sober.I@mm

    Category: 3 {which caused a liveupdate early this morning, by my Pacific Standard Time}.

    W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer.

    The subject of the email varies and will be in either English or German. The email sender address is spoofed.

    The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension.

    This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.

    Note: Live Update definitions with sequence number 38560 or greater will detect this threat.

    Also Known As: WORM_SOBER.I [Trend], W32/Sober-I [Sophos], W32/Sober.j@MM [McAfee], Sobor.I [Panda]
    Type: Worm
    Infection Length: 56808 bytes
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

    Technical Details: http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html#technicaldetails
     
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Last edited: Nov 19, 2004
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Last edited: Nov 19, 2004
  5. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend Micro Medium Risk Virus Alert - WORM_SOBER.I

    Dear Trend Micro customer,

    As of November 19, 2004 (GMT -8:00 Pacific Standard Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.I. TrendLabs has received numerous infection reports indicating that this malware is spreading in France, Germany, and Australia.

    This mass-mailing worm arrives on a system as an email message that has German content. It propagates by sending copies of itself to certain email addresses, which it gathers from files on the system with specific extension names. However, it also avoids sending email messages to certain email addresses with certain strings. It also drops several files in the Windows system folder and creates registry entries to enable itself to run automatically at every system startup.


    TrendLabs will be releasing the following EPS deliverables:

    TMCM Outbreak Prevention Policy 134
    Official Pattern Release 2.255.00
    Damage Cleanup Template 457

    For more information on WORM_SOBER.I, you can visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.I
     
  6. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Panda Software reports the appearance of Sober.I

    - Panda Software reports the appearance of Sober.I -
    Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

    MADRID, November 19, 2004 - PandaLabs has detected the appearance of a new worm called Sober.I. This malicious code is designed to spread rapidly via email in a message that can be written in English or German. According to data gathered by Panda Software's international tech support network, Sober.I is starting to spread across German-speaking countries, such as Germany and Austria, causing incidents in users' computers.

    The messages carrying Sober.I have extremely variable characteristics, as the subject, message body and name of the attachment are all selected at random. If the user runs the file containing Sober.I, it creates a large number of files on the computer, such as clsobern.isc and nonzipsr.noz, which are copies of the worm, or logsys.exe and syssmss32.exe, which are files used by the worm to carry out its actions.

    When it has been run, Sober.I looks for email addresses on the affected computer, which it then sends itself out to using its own SMTP engine. If the domain of the email address belongs to Switzerland (.ch), Germany (.de), Austria (.at) or Liechtenstein (.li), the worm inserts German texts in the email message. If the domain is any other than those mentioned above the email will be sent in English.

    Finally, Sober.I inserts several entries in the Windows Registry in order to ensure that it is run whenever the computer is started.

    Due to the high possibility of being infected by Sober.I, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

    In addition, users can scan their computers online for free with the Panda ActiveScan, available at http://www.pandasoftware.com/

    For further information about Sober.I visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/
     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Already had e-mail with this worm!
    Picked up by NAV and AVG.
    AVG showed a number of .tmp files with the virus, all different extensions and was not able to Heal, Move to vault, or Delete.
    Is this a function of running the two AVs in parallell?
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I've got them flooding in through my junk mail folder in Hotmail ;) :D
     
  9. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Warning! Worm.Win32.Sober.I!

    The latest version of the Sober worm is spreading fast. As with it's predecessors, Sober.I spreads by email attachments. The email text suggests that it is an error message from the mailserver and the undelivery report is attached.

    Current email clients like Outlook or Outlook Express are able to block harmful file extensions like EXE, COM or SCR, but Sober.I sometimes comes packed in a ZIP file to bypass outlook security. The ZIP file itself is not harmful, but the content inside (an executable file with variable file name) contains the worm and must not be opened!

    A more detailed description of the worm can be found at the a² Malware Database:
    http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.I
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I've been receiving lots and tons of JUNK e-mail containing attachments. I reported all the junk e-mail and deleted them immediately.
     
Loading...
Thread Status:
Not open for further replies.