Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sober.I Worm - MEDIUM RISK by Secunia


  • Please log in to reply
1 reply to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:02:33 PM

Posted 19 November 2004 - 06:01 AM

The Sober worm family is proliferic in email generation and this new variant has been declared as MEDIUM RISK by Secunia, and it is reported to be spreading in the France, Germany, and Australia.

Sober.I Worm - MEDIUM RISK by Secunia
http://secunia.com/virus_information/13463/win32.sober.i/
http://vil.nai.com/vil/content/v_130130.htm
http://www.sarc.com/avcenter/venc/data/w32.sober.i@mm.html
http://www.trendmicro.com/vinfo/virusencyc...me=WORM_SOBER.I
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=40797
http://www.f-secure.com/v-descs/sober_i.shtml
http://www.pandasoftware.com/virus_info/en...4761&sind=0


As of November 11, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in the France, Germany, and Australia.

The message it sends out has the following details:

Subject: (any of the following)

Confirmation
Delivery_failure_notice
Details
Faulty_mail delivery
illegal signs in your mail
invalid mail
mail delivery system
Mail delivery_failed
Mail Error
Mail_Delivery_failure
Registration confirmation
Your mail password
Your Password

Message body: (any of the following)

I was surprised, too!
*-*-* Mail_Scanner: No Virus
*-*-* SKYNET- Anti_Virus Service
*-*-* http://www.skynet.be

Your password was changed successfully!
Protected message is attached!

++++++ User-Service: http://www.<domain>
++++++ MailTo: postmaster <domain>

Message attachment:

FILE NAME
im_shocked
oh_nono

FILE EXTENSIONS
*.bat, *.com, *.exe, *.pif, and *.scr

Edited by harrywaldron, 19 November 2004 - 07:18 AM.


BC AdBot (Login to Remove)

 


#2 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:02:33 PM

Posted 25 November 2004 - 06:34 AM

Sober.I worm escalated to HIGH RISK by Secunia

This new email worm is out there, as I'm deleting these regularly along with Netsky.P

Secunia Virus Information has issued a HIGH RISK alert for Sober.I

Secunia Virus Alert: Sober.I
Risk Rating: HIGH RISK
Confirmed By: 7 Vendors
==============================


Secunia - High Risk Virus Alert: Sober.I
http://secunia.com/virus_information/13467/


----- EXAMPLE OF ONE FROM THE INBOX ----------

From: info @ hockeycanada.ca View Contact Details
Date: Mon, 22 Nov 2004 22:52:04 GMT
Subject: Registration confirmation
Your password was changed successfully!
++++++ User-Service: http://www.hockeycanada.ca
++++++ MailTo: postmaster @ hockeycanada.ca
*-*-* Attachment: No Virus found
*-*-* YAHOO- Anti_Virus Service
*-*-* http://www.yahoo.com

Virus Scan Results
File name: hockeycanada.com
File size: 55kb
File type: application/octet-stream
Scan result: Virus"W32.Sober.I@mm" found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users