Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Two New Sober Viruses on the Loose Today

Published: 2005-10-06
Last Updated: 2005-10-06 18:31:58 UTC
by Deborah Hale (Version: 1)
0 comment(s)

It never fails somehow it seems that whenever I am to be the Handler On Duty we have another little Smurf pop out of the closet.  Today's little Smurf is Sober.R or Sober.Q or Worm_Sober.AC or ...., well you get the drift.  (What's in a name anyway. ) However, I am pleased to say that the official CME has been released for this little fella'. Nothing to report there yet - says Not Currently Available.  You'll have to keep checking back to see what the update brings.

http://cme.mitre.org

We do however believe that we are working with at least two different versions.

FSecure has an interesting write up on this and is calling the second one a Dropper.  Take a look at the info in F-Secures writeup.

http://www.f-secure.com/v-descs/sober_s.shtml

Our malware team is looking at the code as we speak.  It appears that this one is picky about who is blessed to receive a copy.  It appears to be a self mailer.  Our malware team is hard at work attempting to identify evaluate this thing and will update us as soon as possible.

It looks like the attachment name may have changed as well.  The one that I just received had the attachment name

regis.info.zip

and appears to be according to the subject my "Registration Confirmation".  

The program is packed with some pretty nasty stuff.  It looks like it may scan the hard drive to see what additional mischief it can create.  It appears to create a file services.exe and sets itself up to run in the registry.

We will keep you updated on any additional info that we get on this.




Keywords:
0 comment(s)

Battle of the ISP's

Published: 2005-10-06
Last Updated: 2005-10-06 18:22:29 UTC
by Deborah Hale (Version: 1)
0 comment(s)
If you are Cogent or Level 3 customer, you may be experiencing some problems with your surfing experience today.  It seems that the two have decided to play the "I am better than you game" at the expense of their customers.
According to the information Hardware Geeks  - this is preventing web pages on one site from being accessed by the others ones customers. 

http://www.hardwaregeeks.com/comments.php?shownews=3713

http://status.cogentco.com/

http://news.google.com/news?q=cogent+level&scoring=d

It looks like these "boys" need a timeout.  Go to opposite corners and take a deep breath. (Isn't that what we tell the children when they start fighting.)

It will definitely be interesting to watch this one play out.


Keywords:
0 comment(s)

Sober Virus (CME-151)

Published: 2005-10-06
Last Updated: 2005-10-06 12:03:08 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
There are reports on a new variant of Sober going around the net. Different antivirus vendors name it differently. But thanks to CME effort, it is identified as CME-151.

This variant uses different email messages randomly in either German or English. We have received several reports from our readers. One reader submitted to us with the email message as below:

Danke für Ihre Mail ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, nämlich an mich. Ich kenne sie aber nicht!
Oder Ihr Provider hat die Mail falsch weiter geleitet!?
Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zurück.

This virus arrives with one of the following attachment names:
* KlassenFoto.zip
* pword_change.zip

Inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe.

You can check out more details from various antivirus vendors website:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.q@mm.html
http://vil.nai.com/vil/content/v_136390.htm
http://uk.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=WORM_SOBER.AC

Keywords:
0 comment(s)
Diary Archives