[Eagle9]

US-CERT

W32/Sober Revisited
added November 22, 2005 | updated November 22, 2005

US-CERT is aware of several new variants of the W32/Sober virus that propagate via email. As with many viruses, these variants rely on social engineering to propagate. Specifically, the user must click on a link or open an attached file.

A recent variant sends messages that appear to be from the CIA or FBI, while a German version appears to be coming from the Bundeskriminalamt (BKA), the German Federal police service. US-CERT encourages users to review the appropriate alert below:

• FBI ALERTS PUBLIC TO RECENT E-MAIL SCHEME

• BKA warnt vor gefälschten E-Mails mit BKA-Absender - Variante des Sober-Wurms

These new variants of the W32/Sober virus identified above share common characteristics listed below. Once infected, the malicious code may:

• Attempt to harvest email addresses from a configurable list of file extensions

• Utilize its own SMTP engine to send itself to the harvested email addresses

Although each variant has different functionality, the list below contains a subset of the common characteristics found in previous variants. Once a system is infected, the malicious code may:

• Modify the system registry to prevent Windows XP's built-in firewall from starting

• Attempt to harvest email addresses from a configurable list of file extensions

• Utilize its own SMTP engine to send itself to the harvested email addresses

• Modify the HOSTS file to prevent the computer from accessing certain security and commercial web sites

• Attempt to terminate a number of running processes, some of which are security related

• Open a backdoor on the system that allows the attacker to communicate remotely with the system via IRC. This may allow the attacker to upload and execute arbitrary code on the infected machine.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. You may also wish to visit the US-CERT Computer Virus Resources.

___________________________________________________________

SANS

More Sober Variants (NEW)

Published: 2005-11-22,
Last Updated: 2005-11-22 23:33:21 UTC by Johannes Ullrich (Version: 1)

We continue to receive reports about new Sober variants. Thanks to Chris M. for supplying a very comprehensive list of links (see below). the CME system assigned these variants the ID CME-681.

IMPORTANT: Antivirus software does not provide any reliable protection against current threats. Viruses like Sober tend to change every few hours well in advance of AV signature updates. The fact that an attachment did not get marked is no indication that it is harmless. We do receive reports of up to date versions of AV software missing some of the recent Sober variants.

Sober is now considered the "largest virus outbreak of the year" according to F-Secure (thanks Matthias J. for pointing this out). It looks like the fake FBI e-mails are working for them.

Note from reader Marc R: Please do not have your AV software reply to viruses. All commonly seen viruses use fake 'From:' headers. Rumor has it that fbi.gov is having a hard time keeping up with all the bounces in the first place.

One not of interested: We had another Sober outbreak last year in June, around the same time we had the "Download.ject". Download.Ject (aka Berbew) used a Internet Explorer 0-day exploit to download and install a trojan. A number of well known, trusted, web sites had been compromissed and spread the trojan.

None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to strip ZIP file attachments.

The subjects and the body text vary widely. Many of them suggest that the attachment was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the 'BKA' (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open  an attachment to verify account details.

List of Links:

Symantec (Level 3 risk) W32.Sober.X@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html

McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm

Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG

F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml

Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html

Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473

Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0

[coconutt2000]

Imagine getting a message in your email that says, "I'm from the government and I'm here to help you."

How gullible do you have to be?

[Northern Alliance]

Caught 335 of these coming into our system in the last 12 hours (and counting!)

[Redcloak]

I got 4 or 5 emails today with Sober.x attachments. They must be coming from either a customer or a supplier to our company. (The spoofed addresses are from other companies in our industry.) I've been getting the "Here's your password and username" versions of the worm.

[Cicero]

I got one from admin@fbi.gov yesterday, saying that "We have logged your IP-address on more than 30 illegal Websites." Oddly, I scanned the attachment for viruses but it came up negative. If it was Sober, it must have been different enough from older versions to fool Norton AV.

I deleted the message in any case without opening the attachment, which I would do with any suspicious attachment.

[TightyRighty]

I just now got one of these while checking my mail. The subject was "Your IP has been logged" from cia.gov - glad I didn't open it.

[texianyankee]

""We have logged your IP-address on more than 30 illegal Websites," and demand that the user open the attached .zip file, which supposedly contains questions to answer."

I am a federal employee and when I got to work this morning, I checked my work email and sure enough, that is exactly the message I got. It had a zip file - but I knew better than to open it - since the message was not addressed to me, specifically. I was worried, too cuz I had logged onto this freerepublic! LOL..... Now I can be at ease.

[Ramius]

This one seems to be spreading fast. This afternoon our AV system had nabbed over 200 of them, and counting. No infections inside so far.

[Petronski]

Remember when I said "just delete it?"


This is why.

[reagan_fanatic]

I got my first one at work today, and I admit I was more than a little concerned when I first saw it. However, one telltale sign stood out like a sore thumb - poor spelling.

If you receive any official-looking e-mail in which the author seems to have trouble with his spelling - don't open it - delete it!

[newbeliever]

All I can say is "Cloudmark Spamnet" Better than anti virus. It captures virtually everything and puts it in a nice neat file that can be easily deleted every day or so.

[Vinnie]

I've gotten at least 10 infected e-mails, FBI,CIA, and a few other ad's.

Trend Micro has caught all of them.

[JenB]

One of the secretaries at work got this today. She figured out it was nonsense and deleted it. We're proud of our users sometimes :-)

[tubebender]

I got one yesterday and cox.net didn't flag it as spam. I posted it on a thread. The zip file was a exe. I'm on a Mac so I would have had to enter my pass word. My address in the header looked like a random spin to me?

[backhoe]

 

Things you need--(all FREE)
Anti-Virus
AVG Anti-Virus version 7 (free) release available...

 Avast
Firewall
Kerio(Direct Download) Zone Alarm

 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/ both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 

  I use Firefox. Click the link and give it a try.

 

 

Ad-Aware
Spybot S&D

SpywareBlaster
MS MVP Hosts file

Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.

 

The best forum for malware removal:

-SWI Forums-

 

 
http://www.freerepublic.com/focus/f-news/1315720/posts

 Microsoft Releases Anti-Spyware Beta 1 To Public Today.
Microsoft.com ^

 

=================================================

 

 Browser Wars, take two
various FR links | 12-22-04 | The Heavy Equipment Guy
http://www.freerepublic.com/focus/f-news/1306815/posts

...and let your compiler of links drop out of Lurk & Link mode for comment and advice:


Keep your OS updated & patched.

Run a hardware firewall-- with today's LAN's, it's easy. You need a hardware firewall.

[ShadowAce]

[chronic_loser]

My wife got that email. She said "what do you think about that?" and I said, "well, do you REALLY think that if we were involved in something important to have the fbi contact us, that they would contact us by email?" she got a real weird look on her face and then burst out laughing. I said "go ahead and click on that zip file attachment" She said, "nothing happened" I said "THAT's why we run linux, babe."