Posted on 05/04/2005 5:16:08 PM PDT by Las Vegas Dave
Virus Name Risk Assessment W32/Sober.p@MM Corporate User : Low-Profiled Home User : Medium
Virus Information Discovery Date: 05/02/2005 Origin: Unknown Length: 53,727 bytes (zip) 53,554 bytes (executable) Type: Virus SubType: E-mail Minimum DAT: 4443 (03/09/2005) Updated DAT: 4482 (05/02/2005) Minimum Engine: 4.3.20 Description Added: 05/02/2005 Description Modified: 05/02/2005 3:59 PM (PT) Description Menu Virus Characteristics Symptoms Method Of Infection Removal Instructions Variants / Aliases Rate This page Print This Page Email This Page Legend
Virus Characteristics: -- Update 2nd May 13:00 PST -- Due to increased prevalence, this threat has had its risk assessment raised to MEDIUM for Home Users.
If you think that you may be infected with Sober.p, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
This threat is proactively detected with the 4443 DAT files, or newer, as W32/Sober.gen@MM.
This threat arrives in an email message with one of the following attachment names:
account_info.zip autoemail-text.zip LOL.zip Fifa_Info-Text.zip mail_info.zip okTicket-info.zip our_secret.zip _PassWort-Info.zip Inside the ZIP archive is a file named winzipped-text_data.txt .pif
Like many Sober variants, this variant uses several different email messages randomly, in either English or German depending on the version of Windows. One such German message states that the recipient has won tickets to the worldcup:
Subject : WM-Ticket-Auslosung Body: Herzlichen Glueckwunsch,
beim Run auf die begehrten Tickets für die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
Ihr "ok2006" Team St. Rainer Gellhaus
--- FIFA-Pressekontakt: --- Pressesprecher Jens Grittner und Gerd Graus --- FIFA Fussball-Weltmeisterschaft 2006 --- Organisationskomitee Deutschland --- Tel. 069 / 2006 - 2600 --- Jens.Grittner@ok2006.de --- Gerd.Graus@ok2006.de
An example of a randomly generated English message is as follows:
Subject: Your Password Body: Account and Password Information are attached!
Visit: http://www. {sender's domain}
*** AntiVirus: No Virus found *** "{recipient's domain} " Anti-Virus *** http://www. {recipient's domain}
Just rename the extension to .txt and then back to .zip when the recipient receives it.
How hard can it be?
AVG? Norton? Better than nothing. I laugh when people tell me they have a machine w/Norton and it is infected and Norton will not clean the virus and live update is broken. ha ha ! Yeah, AVG is the elite of the elite. hehehehe..
On a new machine that has not been infected w/viruses previously, with a fresh install of Windows, Trend '05 is hard to beat. Kaperski is top notch. Sybaryi w/all the optional engines loaded (up to 9 or 10!) is jacked. MSFT bought Sybari, so we'll see where that goes. It was a great product.
As with everything, a strong personal and corporate/organizational security routine and preventive maintenance checks are key also. Short list: NO IM (opens up ports, typically port 80); NO P2P or file sharing; no Kazaa; NO downloading of active X or Java etc, try not to download files, unless absolutely necessary, scan all files before opening them; delete evry single suspicious e-mail; do not open attachments, unless they are from someone you are expecting a document from - and always scan the file first; if applicable for your organization encrypt e-mails - have strong encryption sfw. etc; have hardware and one software firewall in place (disable the Windows firewall if you have a third party FW running. NOTE: in my testing I have been able to run Trend w/FW enabled and Sygate 5.6 also >> yes, I try to make systems crash and push testing to the limit (no, it is not recommended for anyone to run 2 firewalls at once!). I have had problems w/Zone Alarm FW and AVG. One XP box went haywire and the FAQ, support from both parties, plus an exhaustive internet search did not fix the issue (uninstalling Zone Alarm completely, removing all registry keys & installing Sygate 5.5 (at that time) worked.
Avast (free) runs well w/Sygate; Norton Internet Security is too resource-intensive, has other issues etc (not good); Norton-infected machines need to be cleaned with multiple (Panda, Trend, etc) non-Norton products (and manual procedures). MS has the beta anti SW which runs resident, and "plays well" with every AV sfw I have tested so far. (spyware is a different, yet other threat scenario).
Trend Micro makes a great product for Microsoft Exchange server (and a counterpart for the WRKST level, and with a Barracuda (about $3,000) or WatchGuard box, configured properly in front of the Exchange Server, it's hard to beat.
sample AV reviews:
http://reviews.cnet.com/Security_utilities/4502-3681_7-0.html?orderby=-7eRating&pn=
http://reviews-zdnet.com.com/Antivirus/4502-3681_16-0.html?tag=dir.av
http://antivirus.about.com/cs/beforeyoubuy/tp/aatpavwin.htm
http://www.pcmag.com/category2/0,1738,4796,00.asp
http://wsj.consumersearch.com/computers/antivirus_software/reviews.html
Trend is excellent if instaled on a 100% squeaky-clean machine and is also configured properly (many, many options that people do not pay attention to).
Good stuff.
ANd for those that want to take the plunge into Linux but fear the CLI, there's Linspire, Linux with a very good GUI that closely resembles XP.
http://www.linspire.com/
I agree, the MS anti-spyware app in beta is pretty good. I too am a big fan of TM products. I have deployed numerous C/S/M for SMB and they have all performed well.
can anyone explain this to me... I received about 20 of these in the last 48 hours and I never, never get spam.
__________________________
Me too....what's going on? For the past 3 days I've gotten at least 10 of these files per day. Norton AV seems to get them all, and I delete them...
But it just seems to be much more prolific...
I was surfing the net, going only to reasonably safe sites. Just as I entered a site for movie buffs, my McAffee fire wall warned me that I was under a Trojan attack. I shut things down and scanned with McAfee, which located the W32\SOBER.p@MM file and deleted it. The various other files this virus creates were not on my disk and the background services it fires up were not running, so McAfee nipped it in the bud.
I have a hard time coming up with a better, more appropriate, product than Trend Micro for the following software configuration:
-Microsoft Server 2003, Enterprise Edition
-Microsoft Exchange Server 2003, Enterprise Edition
Any IT guy recommending AVG for the above should be fired or demoted to mail clerk. I bet they would recommend a no-name router instead of Cisco.
'Betcha they see a Barracuda or WatchGuard box as being "unnecessary" also. Believe it or not, there are clowns out there that call XP Pro boxes "servers" too. Go figure.
Why run OC48, fiber, Cat7 or even Cat 6E when we can run token ring or BNC!
HaHaHaHaHaHaHaHa. Sometimes, the monkeys do in fact run the zoo
You've got us beat.
BTW, I say we all upgrade to the incomparable Commodore 64!
Faster I/Os, no?
I NEVER open attachments, and I reply-email telling that to senders I know.
We got this one on a computer at work. I thought we were more protected then that.
LOL! I'm home now, so I can type this safely. I did once have a boss ask me to explain why we needed the extra wires in our cables. I couldn't figure out what he was talking about until I realized that I was holding an RJ-45 network cable and he was holding a telephone cord...
We all know about all the other crap that is out there, AdAware SE 1.5 (tweaked properly), Spy Bot 1.3, Pest Patrol (Rat Patrol?), Spysweeper, HJT 1.99 etc., but they all miss something in the wild, or something that another misses.
The Registry is another story, and that has to be cleaned, competently and professionaly, by hand. Same drill with the system folder and what 9and what not to) to delete in the system32 folder.
Generally speaking, absent a strict preventative maintenance checklist that people adhere by, people are asking for trouble and invite viruses and spyware upon themselves. People open up e-mail attachments; go to diff. web sites; have IM installed and running; have P2P type stuff; zero patch management strategy; remote users; RATs; proper router configuration (if they have one) etc etc etc
There is zero substitute for years of front-line battle experience w/this crap.
What interests me is the advent of information warfare as part and parcel of special operations/PSYOP. Now THAT's a different ball game. For example, the ChiComs have an army of these guys. We all need to watch out for cyber attacks and cyber warfare of "unspecified" origin. We need to secure and lock down all unspecified aspects of our national infrastructure / grid. Make no mistake, ChiComs, terrorturds, criminals and others have motive to launch cyber attacks against CONUS. That's part of the broader UW/asymmetrical threat.
OK, where was the OTHER end of the RJ45 and the RJ11/12?
Did your boss also suffer "rectal cranial inversion" ?
Got this in my e-mail today. Subject line was something about my mail being undeliverable.
Speaking of the ChiComs. Over the last year or so we have witnessed a massive increase in SMTP dictionary authentication attempts against managed servers. The connection attempts mostly originate from China followed by S. Korea. My guess is the S. Korea traffic represents the ChiComs simply using S. Korea as a proxy.
Trend rocks. If someone's AVG or Norton machine is infected, I hope that they are not "surprised."
It's a neat little utility that you can use to open attachments if you have Outlook 2002 or 2003. If you have Outlook 2002, the easiest way is to hit the "forward" button, and that will allow you access to the attachment.
Of course, if you use either of these methods, you have to know how to detect virus-laden emails by looking at them. I correspond with over 200 computer newbies monthly who send me attachments (mostly word or Excel files).
I was one of the lucky ones to receive sober.p before Norton had sent out the update, but those virus emails all have such a common look about them, that it's not usually that difficult to spot them.
I've been online since 1988 and have never been infected (knock on wood) :-)
I have disabled MS OUTLOOK and OUTLOOK EXPRESS, along with disabling several other things. I use only web-based email right now.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.