Sober.X (CME-681) - New malware updates scheduled Jan 5, 2006 - Harry Waldron

Community

Email Notifications

Personal Links

Harry Waldron - IT Security

Security Developments, Software Updates and Best Practices

Sober.X (CME-681) - New malware updates scheduled Jan 5, 2006

Personally, I'm still receiving lots of copies of Sober.x on a daily basis in my personal email accounts. On an infected PC, Sober.X creates a backdoor that allows it to autoupdate. Both F-Secure and CERT have issued warnings for new malware updates that will be automatically scheduled on January 6, 2006.

Secunia - Sober.X (CME-681) Anti-Virus links
http://secunia.com/virus_information/23836/sober.x/

F-Secure details how the URL calculation process works
http://www.f-secure.com/weblog/archives/archive-122005.html#00000729

QUOTE: Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 5th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever.

So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don't exist.

However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally in hundreds of thousands of machines.

Special CERT warning
http://www.us-cert.gov/current/current_activity.html#soberx

QUOTE: US-CERT is aware of functionality that could allow the mass-mailing worm known as "W32/Sober.X" to automatically update itself. W32/Sober.X is a bi-lingual (English and German) mass-mailing worm that utilizes its own SMTP engine to propagate. The W32/Sober.X worm began propagating on November 15, 2005 and will attempt to update itself on or around January 5, 2006.

US-CERT strongly recommends that users and administrators implement the following general protection measures:

* Install anti-virus software, and keep its virus signature files up-to-date
* Do not follow unsolicited web links or execute attachments received in email messages, even if sent by a known and trusted source
* Keep up-to-date on patches and fixes for your operating system

Posted: Dec 11 2005, 11:10 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.

Recent Posts

Community

Email Notifications

Personal Links

Archives

Harry Waldron - IT Security

Sober.X (CME-681) - New malware updates scheduled Jan 5, 2006