-
msc hotline sat
- Mensajes: 93500
- Registrado: 09 Mar 2004, 20:39
- Ubicación: BARCELONA (ESPAÑA)
-
Contactar:
Mensaje
por msc hotline sat » 13 May 2004, 16:38
Gracias a la exploracion heuróstica de McAfee ya se controla con los DATS actuales (desde 4348) una nueva variante G del SOBER que acaba de ser descubierta:
DESCRIPCION DEL W32/SOBER.G SEGUN MCAFEE
__________________________________________
Virus Name Risk Assessment
W32/Sober.g@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 05/12/2004
Origin: German?
Length: approx 49kB (UPXed)
Type: Virus
SubType: E-mail
Minimum DAT: 4349 (04/07/2004)
Updated DAT: 4349 (04/07/2004)
Minimum Engine: 4.3.20
Description Added: 05/13/2004
Description Modified: 05/13/2004 6:56 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
At the time of writing AVERT has not received any samples of this new W32/Sober variant from the field.
--------------------------------------------------------------------------------
Proactive Detection
This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).
--------------------------------------------------------------------------------
In common with its predecessors, this variant bears the following characteristics:
it is written in MSVB
it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.
messages may be constructed in both German and English languages (selected according to the target email address)
certain target email addresses are specifically excluded
Top of Page
Symptoms
Existence of the following files on the victim machine:
%SysDir%\bcegfds.lll (0 bytes)
%SysDir%\cvqaikxt.apk (0 bytes)
%SysDir%\datsobex.wwr (0 bytes)
%SysDir%\wincheck32.dats (size varies) - harvested email addresses
%SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.
%SysDir%\winzweier.dats (size varies) - harvested email addresses
%SysDir%\xdatxzap.zxp (0 bytes)
%SysDir%\zhcarxxi.vvx (0 bytes)
The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
Top of Page
Method Of Infection
This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.
__________________________________________
eS UNA PRIMICIA INFORMATIVA.
Proximamente se ofrecerán mas datos
saludos
ms, 13-05-2004
Última edición por
msc hotline sat el 17 May 2004, 19:01, editado 1 vez en total.
-
msc hotline sat
- Mensajes: 93500
- Registrado: 09 Mar 2004, 20:39
- Ubicación: BARCELONA (ESPAÑA)
-
Contactar:
Mensaje
por msc hotline sat » 17 May 2004, 18:47
Sobre el SOBER.G, ampliamos la informacion, además de subir la nueva version 1,5 de la utilidad ELISOBEA,EXE que lo controla y elimina:
Virus Name Risk Assessment
W32/Sober.g@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 05/12/2004
Origin: Germany
Length: approx 49kB (UPXed)
Type: Virus
SubType: E-mail
Minimum DAT: 4349 (04/07/2004)
Updated DAT: 4361 (05/19/2004)
Minimum Engine: 4.3.20
Description Added: 05/13/2004
Description Modified: 05/14/2004 5:35 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
Proactive Detection
This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).
--------------------------------------------------------------------------------
In common with its predecessors, this variant bears the following characteristics:
it is written in MSVB
it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.
messages may be constructed in both German and English languages (selected according to the target email address)
certain target email addresses are specifically excluded
Top of Page
Symptoms
Existence of the following files on the victim machine:
%SysDir%\bcegfds.lll (0 bytes)
%SysDir%\cvqaikxt.apk (0 bytes)
%SysDir%\datsobex.wwr (0 bytes)
%SysDir%\wincheck32.dats (size varies) - harvested email addresses
%SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.
%SysDir%\winzweier.dats (size varies) - harvested email addresses
%SysDir%\xdatxzap.zxp (0 bytes)
%SysDir%\zhcarxxi.vvx (0 bytes)
The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
Top of Page
Method Of Infection
This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.
__________________________________________
Para descargar la utilidad de eliminacion:
https://foros.zonavirus.com/viewtopic.php?t=23
saludos
ms, 17-05-2004