main

New Sober Worm on the Loose

malebolgia   on 19 November 2004 - 17:12 · 29 comments & 1796 views

Advertisement (Why?)
A new version of the Sober worm appeared on the Internet early Friday morning and already it is having quite a bit of success infecting users in Europe through the use of social engineering. Sober.J arrives in an e-mail message that appears to be a returned-mail error message, telling the user that an e-mail sent earlier has bounced. The message typically contains a .zip, .bat, .com, .scr or .pif attachment.

News source: eWeek


Thanks to Hadiz from the forums for the heads up on this article

Share this Article

About the Author

Full name: Unknown
User name: malebolgia
Contact: via forum PM
Submissions: View All
More: View Profile

Related news

Post a comment · Send to friend Comments · There are 29 additional comments
(2 replies) #1 noyb on 19 Nov 2004 - 17:27
Got it this morning in the .pif variety, lucky me. This now brings my total virus's recieved this year alone to 74.

Edit: Make that 75.

Last edited by 63624 on 19 Nov 2004 - 18:04
#1.1 EduardValencia on 19 Nov 2004 - 17:34
haven't recieved it yet
#1.2 HellBender on 19 Nov 2004 - 21:26
Sober worm?

Guess I missed the drunk one.
#2 bangbang023 on 19 Nov 2004 - 18:01
God the warning from PC-Cillin this morning. Thanks for the heads up though.
#3 Mando on 19 Nov 2004 - 18:45
great

^sarcasm
(9 replies) #4 winmacguy on 19 Nov 2004 - 19:34
On a Mac so no problem.
#4.1 noyb on 19 Nov 2004 - 19:36
Same here but you do feel kind of left out at times.
#4.2 geektragedy on 19 Nov 2004 - 19:52
mac itself is virus enough. no need to write any for it!
#4.3 winmacguy on 19 Nov 2004 - 20:04
Same here but you do feel kind of left out at times.

Oh I "Always" feel left out when all the PC people get viruses and I am left to get on with my day unaffected.
#4.4 HellBender on 19 Nov 2004 - 21:27
Of course viruses aren't compatible with Macs. Barely any regular programs are.
#4.5 noyb on 19 Nov 2004 - 21:32
QUOTE
The worm then copies itself to the Windows System folder in two separate locations, using filenames that it constructs dynamically from a small set of common strings, including sys, spool, crypt, host, dir, service, win, run, 32, data, and a few others, according to an analysis by McAfee Inc., based in Santa Clara, Calif. The filename always ends in "exe."

Sober.J then creates several registry keys to ensure it will be run on startup and searches for e-mail addresses on the infected machine. It then begins mailing itself to all of the addresses it finds.


Its more a case of OS X actually having a real access rights system being put in place preventing things like that from happening, sorry to comeback at you in that way but you asked for it with that sort of uneducated comment.
#4.6 MegaManXcalibur on 20 Nov 2004 - 05:20
I run as a regular user for my day to day work on Windows so I'm fine as well (the virus can't write to my system folder or anything other then My Documents for that matter).

It's not so much that Windows users are vulnerable it's Windows users who are running as administrators (which is a stupid default set by Microsoft. Really they need to learn from *nix and tell people they should be running as a user for day to day tasks).
#4.7 noyb on 20 Nov 2004 - 08:39
Actually they need to take a big mallet and thump any developer who writes an application thats not able to run on least privilege, then they need to go to work on the guy who said it would be a good idea to make admin default on pro and just to not give a damn about home.
#4.8 MegaManXcalibur on 20 Nov 2004 - 22:00
I agree 100%.
#4.9 Arcticflare on 22 Nov 2004 - 03:33
I run as a normal user account normally, running applications as administrator from within said normal account when I need to (for those of you who are lost, it's: right click the program you want, "Run as...", and then you can enter in your admin password. =p). And I can tell you, xp has a few issues to work out when it comes to handling this type of environment. In doing this, I'd guesstimate that I'm sacrificing about 15-20% of my stability. Still, I feel quite alot safer in the long run.
(1 reply) #5 Samoa on 19 Nov 2004 - 21:36
Most of us smarter PC users are left unaffected as well, as we know better than to accept attachements in our email....
#5.1 Radium on 19 Nov 2004 - 21:56
I have no idea how these "experienced" users get viruses.
I have never got a virus on a computer under my control.
#6 rIaHc3 on 19 Nov 2004 - 21:58
first ever virus i got in my email. I deleted it because i didnt email anyone.........I think i wasnt affected then
#7 bush on 19 Nov 2004 - 22:07
get your copy of stinger
(3 replies) #8 ariel on 19 Nov 2004 - 23:56
Symantec Security Response - W32.Sober.I@mm
W32/Sober.j@MM McAfee Inc

QUOTE
When a user double clicks on a infected attachment, the worm will display a fake error message:...


Ok. Someone explain to me how this worm spreads in the first place? The user has to run it in the first place. Who does that?
#8.1 memodude on 20 Nov 2004 - 00:28
Same people has any other virus. N00bs.
#8.2 SquareSoft0 on 20 Nov 2004 - 12:23
The same people who spread 99% of the other virii.
#8.3 dandu on 22 Nov 2004 - 04:27
here is a full description :

http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=310
(1 reply) #9 memodude on 20 Nov 2004 - 00:27
I love the new "virus" story icon!
#9.1 Howard on 20 Nov 2004 - 21:18
In my opinion, it lacks the quality of all the other icons
(1 reply) #10 Skyfrog on 20 Nov 2004 - 03:21
This is why you should have to get a license to use the internet. "Oh goody, somebody I don't even know sent me an attachment. I can't wait to see what it is; maybe it's a free prize!"
#10.1 SquareSoft0 on 20 Nov 2004 - 12:24
It said I was the 1,000,000th visitor to www.pwnt.com, it seemed harmless.
#11 HydroPonic on 21 Nov 2004 - 10:41
it's good business for me @ $50/hr

#12 Zenith on 23 Nov 2004 - 06:28
loler Im safe, my comp runs Mac OS X 10.3

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.897) © 2000 - 2008 Neowin.net