Sober.X (CME-681) - New malware updates scheduled Jan 5, 2006
Personally, I'm still receiving lots of copies of Sober.x on a daily basis in my personal email accounts. On an infected PC, Sober.X creates a backdoor that allows it to autoupdate. Both F-Secure and CERT have issued warnings for new malware updates that will be automatically scheduled on January 6, 2006.
Secunia - Sober.X (CME-681) Anti-Virus links
F-Secure details how the URL calculation process works
QUOTE: Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 5th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever.
So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don't exist.
However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally in hundreds of thousands of machines.
Special CERT warning
QUOTE: US-CERT is aware of functionality that could allow the mass-mailing worm known as "W32/Sober.X" to automatically update itself. W32/Sober.X is a bi-lingual (English and German) mass-mailing worm that utilizes its own SMTP engine to propagate. The W32/Sober.X worm began propagating on November 15, 2005 and will attempt to update itself on or around January 5, 2006.
US-CERT strongly recommends that users and administrators implement the following general protection measures:
* Install anti-virus software, and keep its virus signature files up-to-date
* Do not follow unsolicited web links or execute attachments received in email messages, even if sent by a known and trusted source
* Keep up-to-date on patches and fixes for your operating system