kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | W32.Sober.O@mm/Sober.P Currently a Category 3 threat per Symantec: »www.symantec.com/avcenter/venc/d···@mm.html
McAfee (W32/Sober.p@MM): »vil.nai.com/vil/content/v_133409.htm
F-Secure (RADAR Alert 2): »www.f-secure.com/v-descs/sober_p.shtml
said by Symantec Security Response:
Initial analysis indicates the worm may arrive as an email attachment named account_info-text.zip, mail_info.zip, or our_secret.zip. The zip file contains the worm executable as the file Winzipped-Text_Data.txt, with a double extension of .exe or .pif.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. | |
|
 |
Allnew
Premium,MVM
join:2003-02-01
Denmark- EU.
clubs:
| Code yellow from Trend.
YELLOW ALERT - WORM_SOBER.S - 02.05.2005 (Yellow Alert):
TrendLabs has received several reports regarding this new SOBER variant that is currently spreading in Germany and the United States.
This worm spreads by mass-mailing copies of itself to target recipients. Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.
Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.
TrendLabs is working to provide a more in depth analysis of this malware. Details will be posted shortly.
You may also check the following URL anytime to get T-Time information:
»www.trendmicro.com/vinfo/virusen···_SOBER.S
--
The two most common elements in the universe are Hydrogen and stupidity.Harlan Ellison (1934 - ) | |
|
|
Chizep
Premium
join:2002-04-07
Concord, NC
| Getting hit with it here at my job right now.
Have the following in place but its not catching it:
Symantec Mail Security for Exchange v4.5.0.719 with 5/1/2005 Rev 3
Trend Micro OfficeScan Client v6.5, Engine: 7.510, Pattern File: 2.609.00
I need to investigate manually updating both pieces.
Forutnately none of the users have been stupid enough open the zip and execute the contents. | |
|
 | |
| 
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
1 edit | said by Chizep  :Getting hit with it here at my job right now. Forutnately none of the users have been stupid enough open the zip and execute the contents. I haven't seen any copies at work yet, though there was
an unspecified warning about a new email virus sent by IT
and for all users to delete attachments from unknown
senders. I was not sure which it was until I had read
about the latest Sober variants.
None of my other email accounts have gotten hit yet.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.
To RIAA/MPAA - You can sue but you can't catch everyone! | |
|
Chizep
Premium
join:2002-04-07
Concord, NC | Ah yeah, so basically it's Sober.S?
I guess variants O, P, & S are more or less the same. | |
|
| kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Re: W32.Sober.O@mm/Sober.P LiveUpdate has been issued, NAV & SAV should detect now. | |
|
Chizep
Premium
join:2002-04-07
Concord, NC | Sweet. Updated exchange. Patiently waiting on Trend Micro... | |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| I was going to post about this hours ago. I woke up to about 10 emails from this virus, then updated f-prot early (normally the updates fire off "only" once a day), and it started to block the M variant, but I'm still getting "Your Password" and "Registrating Confirmation" attached zips.. | |
|
|
D8e
@algx.net | Received in my email honeypot.
Keep 'em comin', boys!  | |
|
Chizep
Premium
join:2002-04-07
Concord, NC
| Trend Micro updated itself and all online clients.
Running a full scan right now on all online clients (roughly 50 boxes.)
Will have piece of mind when I don't get any e-mail notifications saying someone has been infected.  | |
|
ritzy57
Mouth Of The South
Premium
join:2000-08-13
Fort Mill, SC
 ·Comporium
 ·AT&T CallVantage
| I received 28 E-mails with this virus attached. Mine all had the words, "Your Password," or "Registering Confirmation," or, "ok ok ok,,,,,here is it"
McAffee and AVG, did a great job!
This is the first time I have ever been hit with an E-mail virus, and,... I just got three more!
(feel like I'm standing in front of a big plate glass window, up high in a building, watching a fierce thunder and lightening storm rage outside)
--
A day without sunshine is....depressing | |
|
Llama
join:2000-11-25
Findlay, OH | Gotten hit 14 times today with this one. Roadrunner has actually caught all of them so far. Avast is there as a backup. Deleting/Bouncing/Blacklisting them with Mailwasher as they roll in. | |
|
|
DevilFrank
join:2003-07-13
·T-Com
| I´m afraid this worm will be increasing in Germany today, because the message is very artful.
Many people in Germany hope they are to be the winner of an official ticket of the soccer World Cup 2006 that the FIFA will be drawing lots for.
And they will be clicking and clicking and clicking...
--
Regards from Germany. Please excuse my stumbling English | |
|
|
Chizep
Premium
join:2002-04-07
Concord, NC
| Re: W32.Sober.O@mm/Sober.P said by DevilFrank :I´m afraid this worm will be increasing in Germany today, because the message is very artful. Many people in Germany hope they are to be the winner of an official ticket of the soccer World Cup 2006 that the FIFA will be drawing lots for. And they will be clicking and clicking and clicking... Yep, social engineering at its best... | |
|
| | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | Re: W32.Sober.O@mm/Sober.P It amazes me that after 5 years of this people still fall for these things. Yes, it's been (nearly) 5 years since LoveLetter started this lovely trend.
So far I've missed out on this one. Unlike last year where I seemed to get hammered every time a new worm appeared.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. | |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs: | Wow this is a busy one. Came in this morning to work and have 1000 quarantines of it from the exchange server. We don't get that many quarantines of everything combined in a week. | |
|
| |
GKJUG
@algx.net | Recieved 6 more under a variety of Subject titles overnight.
- Registration confirmation
- Your email was blocked
- FWD: Your password
- Your password
All are in the 73 - 74kb range. | |
|
| 
91439306
15,000 Watts of Bass Power
join:2002-10-16
New Milford, CT
| Re: W32.Sober.O@mm/Sober.P I noticed that at the beginning of the week when this started here, I was finding that they had originated from the .nl domain extention. I guess it spread to Germany and then the US about the same time. Nasty, because unlike previous worms, Earthlink's Spaminator is not blocking the e-mails. It'd AV is stripping out the virus, at least here on my account. Volume is getting annoying though.
--
Take care,
Mark & Mary Ann Weiss
Hear my Kurzweil Creations at: »www.dv-clips.com/theater.htm
'»www.mwcomms.com/auctions.htm
'»www.mwcomms.com
'»www.adventuresinanimemusic.com
| |
|
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs: | I got two, last night. Avast! caught them and I hit the recommended Delete button. I assume I am okay.
Tim | |
|
Deajl
@algx.net | Latest Subject title.
- Mailing error
| |
|
| wadonoel
Premium
join:2004-11-16
New York, NY | Re: W32.Sober.O@mm/Sober.P Mine came from register@cigna.com, sent through an Italian dynamic address. It's quite rare that I receive viruses on that account so it really must be wide spread. | |
|
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA | I have gotten about 50 of them since yesterday. | |
|
|
|
|
·
