NUEVA VARIANTE DEL W32/SOBER "G" YA CONTROLADO

[msc hotline sat]

Gracias a la exploracion heuróstica de McAfee ya se controla con los DATS actuales (desde 4348) una nueva variante G del SOBER que acaba de ser descubierta:



DESCRIPCION DEL W32/SOBER.G SEGUN MCAFEE

__________________________________________



Virus Name Risk Assessment

W32/Sober.g@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/12/2004

Origin: German?

Length: approx 49kB (UPXed)

Type: Virus

SubType: E-mail

Minimum DAT: 4349 (04/07/2004)

Updated DAT: 4349 (04/07/2004)

Minimum Engine: 4.3.20

Description Added: 05/13/2004

Description Modified: 05/13/2004 6:56 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

At the time of writing AVERT has not received any samples of this new W32/Sober variant from the field.







--------------------------------------------------------------------------------





Proactive Detection

This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).







--------------------------------------------------------------------------------





In common with its predecessors, this variant bears the following characteristics:



it is written in MSVB

it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.

messages may be constructed in both German and English languages (selected according to the target email address)

certain target email addresses are specifically excluded



Top of Page



Symptoms

Existence of the following files on the victim machine:



%SysDir%\bcegfds.lll (0 bytes)

%SysDir%\cvqaikxt.apk (0 bytes)

%SysDir%\datsobex.wwr (0 bytes)

%SysDir%\wincheck32.dats (size varies) - harvested email addresses

%SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.

%SysDir%\winzweier.dats (size varies) - harvested email addresses

%SysDir%\xdatxzap.zxp (0 bytes)

%SysDir%\zhcarxxi.vvx (0 bytes)



The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:



sys

host

dir

explorer

win

run

log

32

disc

crypt

data

diag

spool

service

smss32



Top of Page



Method Of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.



__________________________________________



eS UNA PRIMICIA INFORMATIVA.



Proximamente se ofrecerán mas datos



saludos



ms, 13-05-2004

[msc hotline sat]

Sobre el SOBER.G, ampliamos la informacion, además de subir la nueva version 1,5 de la utilidad ELISOBEA,EXE que lo controla y elimina:



Virus Name Risk Assessment

W32/Sober.g@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/12/2004

Origin: Germany

Length: approx 49kB (UPXed)

Type: Virus

SubType: E-mail

Minimum DAT: 4349 (04/07/2004)

Updated DAT: 4361 (05/19/2004)

Minimum Engine: 4.3.20

Description Added: 05/13/2004

Description Modified: 05/14/2004 5:35 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

Proactive Detection

This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).







--------------------------------------------------------------------------------





In common with its predecessors, this variant bears the following characteristics:



it is written in MSVB

it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.

messages may be constructed in both German and English languages (selected according to the target email address)

certain target email addresses are specifically excluded



Top of Page



Symptoms

Existence of the following files on the victim machine:



%SysDir%\bcegfds.lll (0 bytes)

%SysDir%\cvqaikxt.apk (0 bytes)

%SysDir%\datsobex.wwr (0 bytes)

%SysDir%\wincheck32.dats (size varies) - harvested email addresses

%SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.

%SysDir%\winzweier.dats (size varies) - harvested email addresses

%SysDir%\xdatxzap.zxp (0 bytes)

%SysDir%\zhcarxxi.vvx (0 bytes)



The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:



sys

host

dir

explorer

win

run

log

32

disc

crypt

data

diag

spool

service

smss32



Top of Page



Method Of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.



__________________________________________



Para descargar la utilidad de eliminacion:



https://foros.zonavirus.com/viewtopic.php?t=23





saludos



ms, 17-05-2004