Posted on 05/04/2005 5:16:08 PM PDT by Las Vegas Dave
Virus Name Risk Assessment W32/Sober.p@MM Corporate User : Low-Profiled Home User : Medium
Virus Information Discovery Date: 05/02/2005 Origin: Unknown Length: 53,727 bytes (zip) 53,554 bytes (executable) Type: Virus SubType: E-mail Minimum DAT: 4443 (03/09/2005) Updated DAT: 4482 (05/02/2005) Minimum Engine: 4.3.20 Description Added: 05/02/2005 Description Modified: 05/02/2005 3:59 PM (PT) Description Menu Virus Characteristics Symptoms Method Of Infection Removal Instructions Variants / Aliases Rate This page Print This Page Email This Page Legend
Virus Characteristics: -- Update 2nd May 13:00 PST -- Due to increased prevalence, this threat has had its risk assessment raised to MEDIUM for Home Users.
If you think that you may be infected with Sober.p, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
This threat is proactively detected with the 4443 DAT files, or newer, as W32/Sober.gen@MM.
This threat arrives in an email message with one of the following attachment names:
account_info.zip autoemail-text.zip LOL.zip Fifa_Info-Text.zip mail_info.zip okTicket-info.zip our_secret.zip _PassWort-Info.zip Inside the ZIP archive is a file named winzipped-text_data.txt .pif
Like many Sober variants, this variant uses several different email messages randomly, in either English or German depending on the version of Windows. One such German message states that the recipient has won tickets to the worldcup:
Subject : WM-Ticket-Auslosung Body: Herzlichen Glueckwunsch,
beim Run auf die begehrten Tickets für die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
Ihr "ok2006" Team St. Rainer Gellhaus
--- FIFA-Pressekontakt: --- Pressesprecher Jens Grittner und Gerd Graus --- FIFA Fussball-Weltmeisterschaft 2006 --- Organisationskomitee Deutschland --- Tel. 069 / 2006 - 2600 --- Jens.Grittner@ok2006.de --- Gerd.Graus@ok2006.de
An example of a randomly generated English message is as follows:
Subject: Your Password Body: Account and Password Information are attached!
Visit: http://www. {sender's domain}
*** AntiVirus: No Virus found *** "{recipient's domain} " Anti-Virus *** http://www. {recipient's domain}
My "hunch" is that China is up to no good. Maybe, just maybe, they are using information warfare tactics. No way, the Clintons and Kerry and all their hangers-on said it can not be so! Just a hunch that China's behind some bad stuff. We should say... "That wasn't nice" ... Now, let's see, are there any snakes we can train to take them on also? They mess with the bull, they get the horns. Bulls don't like Red.
Check out these links when you have some spare time:
http://www.sinodefence.com/c4i/default.asp
http://www.sinodefence.com/c4i/ew/ew.asp
http://users.bigpond.net.au/pongrass/security/security.htm (SMH, 8/18/2001)
http://www.specialoperations.com/Foreign/China/IW.htm
http://www.ceip.org/programs/info/infowar.htm
http://www.sans.org/rr/whitepapers/warfare/896.php
http://www.global-defence.com/2000/pages/china.html
http://www.fas.org/irp/world/china/docs/iw_mg_wang.htm
http://www.taipeitimes.com/News/front/archives/2003/09/04/2003066387
http://www.gyre.org/news/related/Information+Warfare/China
http://www.rand.org/publications/CF/CF145/CF145.chap9.pdf
http://www.strategypage.com/fyeo/howtomakewar/default.asp?target=HTIW.HTM
http://www.herolibrary.org/p113.htm (Chinese, sic)
http://www.iwar.org.uk/iwar/resources/news/china-io-2003.htm
http://www.iwar.org.uk/iwar/resources/china/iw/chininfo.pdf
http://www.infowar-monitor.net/
http://www.carlisle.army.mil/ssi/pubs/display.cfm/hurl/PubID=62
http://www.fas.org/news/taiwan/1999/cn-08-17-99-11.htm (1999)
http://www.taiwansecurity.org/AP/2002/AP-072902.htm (AP 2002)
http://www.au.af.mil/au/awc/awcgate/ndu/chinview/chinacont.html
http://www.au.af.mil/au/awc/awcgate/awc-info.htm
http://library.nps.navy.mil/home/bibs/IWbooks.htm (IW resources)
Ref:
http://www.theatlantic.com/doc/prem/200506/kaplan (Atlantic - Kaplan - 05 - sic)
http://www.voanews.com/english/2005-03-23-voa76.cfm (VOA March 23, 2005)
http://www.jamestown.org/publications_details.php?volume_id=408&issue_id=3232&article_id=2369263 (Jamestown February 15, 2005)
http://www.csis.org/burke/hd/#reports (CSIS resources)
http://fmso.leavenworth.army.mil/FMSOPUBS/ISSUES/china-internet.htm
http://www.sans.org/rr/whitepapers/warfare/ (SANS)
http://www.fofg.org/news/news_story.php?doc_id=782 (May 13, 2004)
http://armedservices.house.gov/issues/opeds/03-09-12tcs-china.html (HASC, 9/12/03)
http://www.space.com/news/china_dod_030801.html (August 1, 2003 Space)
http://www.defenselink.mil/pubs/20030730chinaex.pdf (annual PRC report July 2003)
http://www.military-information-technology.com/article.cfm?DocID=51 (November 15, 2002)
http://www.cia.gov/nic/speeches_telecommunications.html (CIA Gannon - April 2001)
http://www.spacedaily.com/news/china-01c.html (Space Daily Jan 2000)
http://www.heritage.org/Research/AsiaandthePacific/BG1340.cfm (Heritage - Wortzel - December 2, 1999)
http://www.ndu.edu/inss/siws/ch1.html (William Fast)
http://www.aracnet.com/~kea/Papers/threat_white_paper.shtml (Kent Anderson, 1998)
http://www.securityfocus.com/library?cat=132&offset=70 (Inf. Ops /IW 1996
Yes, they will actually execute in the preview pane of most versions of Outlook or Outlook Express unless you tell the program not to allow it - or turn the preview pane off.
Those are special cases. I recommend Sophos for those installations. This isn't the first time Trend has screwed up and killed machines with an update...
(kicks back and checks the status on his Cisco Pix firewall)
I have never caught a virus from any email attachment and I always use the preview pane. I wonder if I have something set to not allow it? I don't recall ever being prompted to allow a program to execute. I keep my virus sw upto date on my laptop but have an old desktop that runs without any virus protection. Guess I'm lucky.
When I first entered the Army in '75, I elected Mandarin Chinese as my foreign language of choice figuring I was going to need it eventually. Looking back thirty years later, not a single thing has happened to make me change my mind.
If my instincts in real estate and the stock market had been 1/10th as good, this message would have been typed by my personal Freeping assistant.
That shouldn't be necessary. If they are going to take the time to scan mime for zip files and/or executables, why not scan for viruses and pass uninfected items along.
This issue is another one of those things that makes defects in MSWindows platform affect everyone else adversely.
Didn't mean to imply that you were. Sorry if it came off that way. I was making more of a general statement than one directed directly at you. I should have clarified that.
Check out LinuxISO.org. They have links to many of the major distributions. If you need more information or general assistance with the migration, FreepMail me.
You're one of the first mac people I've come across on this forum (or many other forums) that has said essentailly "who cares what OS you use, as long as it does what you need it to do."
Wow. I believe you, but something sounds out of place.
I have had experience w/Trend for years, as do many of the $95-$125/hr type IT guys that set up networks w/Trend and they have never reported any incidents to me. I'll ask around, but so far, no bad news.
Interesting, I will be on the Red Alert for ANY problems w/Trend and I'll try to post any anomalies in all honesty and objectivity.
Don't sell yourself short. You had the vision and foresight to opt for Mandarin in the 70s, now apply that skill set to the market!
Make a million $. Do it for the Gipper!
Yes, the ChiComs are being naughty, the rascals.
Well, in the interest of full disclosure... I *was* a mac head. Now I'm pretty much immersed in Winders Server and XP. But... we do support lots of mac users around the company. I've only dabbled around with OS X. It's pretty, but I haven't owned one since system 7 (which *rocked* by the way). :-)
We also have a little linux, even some Sun and SGI gurgling along around here somewhere. And... I kid you not... I've got one remaining Alpha running VMS. Just can't get the damn thing to die, but I'm trying.
Bump for tomorrow.
Yep, and config.sys as well. Still remember that feeling of triumph getting vdisk to run properly the first time...
Used to have DR-DOS around here somewhere... Jameco was giving away the discs with some hardware I bought years ago. Still have Windows 3.1 ( not 3.11 ) on the original IBM discs, in my "box of OS's for weird & obsolete iron." Salavaged them from a dumpster behind an office that was tossing out old stuff.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.