|
 |
|
Sober.r
|
|
|
First Report:
|
2005-10-06 03:47
|
|
Last Update:
|
2005-10-27 23:40
|
|
|
Risk Rating:
|
Medium Risk
|
|
|
Aliases:
|
CME-151
Email-Worm.Win32.Sober.s
Email-Worm.Win32.VB.ba
I-Worm.Sober.U
Sober.S
Sober.S.dr
Sober.Y
Trojan-Dropper.Win32.VB.iv
VB.iv
W32.Sober.Q
W32.Sober.Q@mm
W32/Sober-O
W32/Sober.r@MM
W32/Sober.r@MM!CME-151
W32/Sober.r@MM!M-151
W32/Sober.S.dr
W32/Sober.Y.worm
Win32.Sober.S@mm
WORM_SOBER.AC
|
|
|
Virus Alerts:
|
Secunia issued a MEDIUM RISK alert for this virus.
2005-10-06 12:55
|
|
|
Information From AntiVirus Vendors
|
|
|
|
|
Below you will find virus information from different antivirus vendors included in this Secunia Virus Profile. Information about the virus along with links to removal tools will be listed below when available.
The information provided is sorted by the date on which the information first became publicy available on the antivirus vendors' websites. The earliest available reports are displayed first. Please note timestamps are in GMT+1.
|
|
|
#1 - MCAFEE
|
| |
|
|
W32/Sober.r@MM
|
Severity:
3/7
|
File Size:
113,551 bytes
|
| |
|
|
Reported:
2005-10-06 03:47
|
Last Update:
2005-10-18 23:42
|
| |
Description:
Due to a decrease in prevalence, the risk assessment has been lowered to Low-Profiled.
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2005-10-12 23:47
|
Severity was decreased from 4/7 to 3/7.
|
| |
|
|
2005-10-12 23:47
|
Description was changed.
New:
"Due to a decrease in prevalence, the risk
assessment has been lowered to Low-Profiled."
Old:
"The risk assessment of this threat has been
raised to Medium do to prevalence."
|
| |
|
|
2005-10-06 08:17
|
Updated information about removal tool/instructions.
|
| |
|
|
2005-10-06 04:57
|
Severity was raised from 2/7 to 4/7.
|
| |
|
|
2005-10-06 04:57
|
Description was changed.
New:
"The risk assessment of this threat has been
raised to Medium do to prevalence."
Old:
"AVERT is currently analyzing this threat.
Details will be posted shortly."
|
| |
|
|
2005-10-06 04:32
|
Description was changed.
New:
"AVERT is currently analyzing this threat.
Details will be posted shortly."
Old:
"AVERT is currently analyzing this threat.
Details will be posted shortly. Top of Page"
|
|
|
|
|
|
#2 - SYMANTEC
|
| |
|
|
W32.Sober.Q
|
Severity:
2/5
|
File Size:
-
|
| |
|
|
Reported:
2005-10-06 05:20
|
Last Update:
2005-10-06 06:40
|
| |
Description:
W32.Sober.Q@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2005-10-06 06:40
|
Description was changed.
New:
"W32.Sober.Q@mm is a mass-mailing worm that
uses its own SMTP engine to spread. It sends
itself as an email attachment to addresses
gathered from the compromised computer. The
email may be in either English or German."
Old:
"Symantec Security Response is currently
investigating this threat and will post more
information as it becomes available."
|
|
|
|
|
|
#3 - SYMANTEC
|
| |
|
|
W32.Sober.Q@mm
|
Severity:
2/5
|
File Size:
-
|
| |
|
|
Reported:
2005-10-06 08:44
|
Last Update:
2005-10-27 23:40
|
| |
Description:
W32.Sober.Q@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
It has been reported that it may arrive as one of the following files and that inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe:
KlassenFoto.zip
pword_change.zip
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2005-10-27 23:40
|
Description was changed.
New:
"W32.Sober.Q@mm is a mass-mailing worm that
uses its own SMTP engine to spread. It sends
itself as an email attachment to addresses
gathered from the compromised computer. The
email may be in either English or German.
It has been reported that it may arrive as
one of the following files and that inside
the ZIP archive is a file named
PW_Klass.Pic.packed-bitmap.exe:
KlassenFoto.zip
pword_change.zip
"
Old:
"W32.Sober.Q@mm is a mass-mailing worm that
uses its own SMTP engine to spread. It sends
itself as an email attachment to addresses
gathered from the compromised computer. The
email may be in either English or German."
|
| |
|
|
2005-10-07 13:44
|
Updated information about removal tool/instructions.
|
|
|
|
|
|
#4 - F-SECURE
|
| |
|
|
Sober.S
|
Severity:
2/3
|
File Size:
-
|
| |
|
|
Reported:
2005-10-06 11:11
|
Last Update:
2005-10-06 15:45
|
| |
Description:
Sober.S worm started spreading on October 6th, 2005. This Sober variant sends itself as an attachment in e-mail messages with English or German texts. The worm has bugs and quite often sends broken attachments.
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2005-10-06 15:45
|
Updated information about removal tool/instructions.
|
| |
|
|
2005-10-06 12:51
|
Severity was raised from N/A to 2/3.
|
|
|
|
|
|
#5 - F-SECURE
|
| |
|
|
Sober.S.dr
|
Severity:
2/3
|
File Size:
-
|
| |
|
|
Reported:
2005-10-06 11:51
|
Last Update:
2005-10-06 12:51
|
| |
Description:
We started to get reports about a new dropper for Sober.S worm at noon on October 6th, 2005. This dropper drops exactly the same Sober.S variant that started to spread early in the morning. When the dropper is run, it shows a messagebox as a decoy:
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2005-10-06 12:51
|
Severity was raised from N/A to 2/3.
|
| |
|
|
2005-10-06 12:51
|
Name was changed.
New:
"Sober.S.dr"
Old:
"VB.iv"
|
|
|
|
|
|
Please note: The information that this Secunia Virus Profile is based on comes from a third party unless stated otherwise.
The grouping process is done completely automatically, therefore minor inconsistencies may occur. For more information about Secunia Virus Information, please read: About Virus Information.
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
