Home > Security News > Some 'Sober' on new worm variant
Security News:
EMAIL THIS

Some 'Sober' on new worm variant

By Shawna McAlearney, News Editor
19 Nov 2004 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

A new Sober worm variant is getting traction this morning and is ranked as a high-level threat by some AV vendors.

"A new worm -- W32/Sober-I -- has appeared and it is already a high threat," said Patrick Hinojosa, CTO, Panda Software USA, based in Glendale, Calif. "This is spreading fast, particularly in Europe. It causes serious damage to the registry and it creates its own SMTP engine to resend itself to your address book."

Panda, F-Secure Corp., Trend Micro Inc. and Symantec Corp. are calling the new variant Sober-I, McAfee Inc. calls it Sober-J and Norman Antivirus labels it Sober-H.

According to Panda, "It does not have destructive effects. It spreads via e-mail in a message with variable characteristics." Users of Windows 95, 98, ME, NT, XP, 2000 and 2003 are vulnerable, but will not become infected if they don't run the attached file.

Hinojosa added that the worm is somewhat intelligent. "It goes through the victim's address book and any other source of e-mail addresses and will customize the language it uses by the country of the recipient. Right now we've only seen English and German, but there could be others."

Norman said it has a variable subject line and body text; the attachment is also variable, but is an executable file using .scr, .com, .bat, .pif or .zip extension.

According to Norman's site: "When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows System directory; most notably two worm files -- these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup." Other files created are:

  • clonzips.ssc
  • clsobern.isc
  • cvqaikxt.apk
  • dgssxy.yoi
  • nonzipsr.noz
  • Odin-Anon.Ger
  • sb2run.dii
  • sysmms32.lla
  • winexerun.dal
  • winmprot.dal
  • winroot64.dal
  • winsend32.dal
  • zippedsr.piz

To mitigate the worm, block .scr, .com, .bat, .pif or .zip extensions at the gateway and update antivirus signatures.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts