NUEVA VARIANTE DEL W32/SOBER "G" YA CONTROLADO

Cerrado
Avatar de Usuario
msc hotline sat
Administrador
Administrador
Mensajes: 93124
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVA VARIANTE DEL W32/SOBER "G" YA CONTROLADO

Mensaje por msc hotline sat » 13 May 2004, 16:38

Gracias a la exploracion heuróstica de McAfee ya se controla con los DATS actuales (desde 4348) una nueva variante G del SOBER que acaba de ser descubierta:



DESCRIPCION DEL W32/SOBER.G SEGUN MCAFEE

__________________________________________



Virus Name Risk Assessment

W32/Sober.g@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/12/2004

Origin: German?

Length: approx 49kB (UPXed)

Type: Virus

SubType: E-mail

Minimum DAT: 4349 (04/07/2004)

Updated DAT: 4349 (04/07/2004)

Minimum Engine: 4.3.20

Description Added: 05/13/2004

Description Modified: 05/13/2004 6:56 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

At the time of writing AVERT has not received any samples of this new W32/Sober variant from the field.







--------------------------------------------------------------------------------





Proactive Detection

This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).







--------------------------------------------------------------------------------





In common with its predecessors, this variant bears the following characteristics:



it is written in MSVB

it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.

messages may be constructed in both German and English languages (selected according to the target email address)

certain target email addresses are specifically excluded



Top of Page



Symptoms

Existence of the following files on the victim machine:



%SysDir%\bcegfds.lll (0 bytes)

%SysDir%\cvqaikxt.apk (0 bytes)

%SysDir%\datsobex.wwr (0 bytes)

%SysDir%\wincheck32.dats (size varies) - harvested email addresses

%SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.

%SysDir%\winzweier.dats (size varies) - harvested email addresses

%SysDir%\xdatxzap.zxp (0 bytes)

%SysDir%\zhcarxxi.vvx (0 bytes)



The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:



sys

host

dir

explorer

win

run

log

32

disc

crypt

data

diag

spool

service

smss32



Top of Page



Method Of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.



__________________________________________



eS UNA PRIMICIA INFORMATIVA.



Proximamente se ofrecerán mas datos



saludos



ms, 13-05-2004
Última edición por msc hotline sat el 17 May 2004, 19:01, editado 1 vez en total.

Avatar de Usuario
msc hotline sat
Administrador
Administrador
Mensajes: 93124
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

Mensaje por msc hotline sat » 17 May 2004, 18:47

Sobre el SOBER.G, ampliamos la informacion, además de subir la nueva version 1,5 de la utilidad ELISOBEA,EXE que lo controla y elimina:



Virus Name Risk Assessment

W32/Sober.g@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/12/2004

Origin: Germany

Length: approx 49kB (UPXed)

Type: Virus

SubType: E-mail

Minimum DAT: 4349 (04/07/2004)

Updated DAT: 4361 (05/19/2004)

Minimum Engine: 4.3.20

Description Added: 05/13/2004

Description Modified: 05/14/2004 5:35 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

Proactive Detection

This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).







--------------------------------------------------------------------------------





In common with its predecessors, this variant bears the following characteristics:



it is written in MSVB

it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.

messages may be constructed in both German and English languages (selected according to the target email address)

certain target email addresses are specifically excluded



Top of Page



Symptoms

Existence of the following files on the victim machine:



%SysDir%\bcegfds.lll (0 bytes)

%SysDir%\cvqaikxt.apk (0 bytes)

%SysDir%\datsobex.wwr (0 bytes)

%SysDir%\wincheck32.dats (size varies) - harvested email addresses

%SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.

%SysDir%\winzweier.dats (size varies) - harvested email addresses

%SysDir%\xdatxzap.zxp (0 bytes)

%SysDir%\zhcarxxi.vvx (0 bytes)



The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:



sys

host

dir

explorer

win

run

log

32

disc

crypt

data

diag

spool

service

smss32



Top of Page



Method Of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.



__________________________________________



Para descargar la utilidad de eliminacion:



https://foros.zonavirus.com/viewtopic.php?t=23





saludos



ms, 17-05-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”