New virus: Win32:Sober-H [Wrm]

system · November 19, 2004, 9:22am

Hi all,

there is a new outbreak of Sober worm - especially in German speaking countries and Central Europe. The update is alread out.

Good luck !

Pavel

RejZoR · November 19, 2004, 12:14pm

Central europe and germany you say? That not far away from me hehe

Btw, why don’t you use iNews for such notices?

Eddy · November 19, 2004, 2:21pm

If you ask me it is originating in Germany (Versatel) For the last +/- 2 weeks I have tons of blocked intrusion attemps on ports 135 and 445 and with the exception of a few, they all came from Versatel users.

system · November 19, 2004, 3:04pm

Noticed today a lot of infected mails with Worm.Sober new version - interesting from adresses i.e.: hostmaster@hotmail.com

I’m in Austria

br
Peter

system · November 19, 2004, 4:59pm

is the sober H virus the same as this one?:

sober I

http://news.bbc.co.uk/1/hi/technology/4026541.stm

system · November 19, 2004, 5:17pm

Yes this will be the same one. Its just some AV Vendors use different names.

Kind Regards

Jlo

system · November 20, 2004, 1:14am

Has anyone here been hit by this one yet ?

system · November 20, 2004, 1:04pm

Good morning to all…

I just received an email and Avast! immediately caught it. I did the recommended action of deleting it. It was Sober H…
So now I will do a boot time scan–right?

I must say…the warning sound itself sure woke me up!
Thank you Alwil for the protection!

cojo
ps first virus in several months that has come through.

igor0 · November 20, 2004, 1:09pm

If avast! caught the virus in the e-mail (when you received it), it didn’t actually get through. So, I’d say there’s no need for a boot-time scan - you should be still clean.

system · November 20, 2004, 1:14pm

thank you, Igor!
I was sitting here wondering if I needed to run every secutity measure I have to make sure I’m clean…thanks for your fast response!
cojo

system · November 22, 2004, 3:58am

I’m in Canada… I received this virus tonight, but avast! recognized it and automatically sent it to chest (as per my setup). Avast! worked great! Thanks Alwil!

For those interested, here were the headers (I only removed my email address)… my ISP is named “Magma” …

X-x: TimeOut+OK 78808 octets follow.
Return-Path: webmaster@hotmail.com
Received: from queue1.magma.ca (queue1.magma.ca [206.191.0.234])
by in1.magma.ca (Magma’s Mail Server) with ESMTP id iAM2Jk7N022928;
Sun, 21 Nov 2004 21:19:52 -0500
Received: from queue2.magma.ca (queue2.magma.ca [64.26.180.134])
by queue1.magma.ca (8.13.0/8.13.0) with ESMTP id iAM2J13j028582;
Sun, 21 Nov 2004 21:19:03 -0500
Received: from xwyrorhnm.com (ts1-297.f1782.globetrotter.net [142.169.185.58] (may be forged))
by queue2.magma.ca (8.13.0/8.13.0) with SMTP id iAM2GX3E012680;
Sun, 21 Nov 2004 21:16:45 -0500
From: webmaster@hotmail.com
To: (REMOVED)@magma.ca
Date: Mon, 22 Nov 2004 01:50:49 UTC
Subject: [avast! - INFECTED] Delivery_failure_notice
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: c34cb.4f3cc22ed518fd@tfobot.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=“==8fedf6159.7575eaee”
Content-Transfer-Encoding: 7bit
X-Spam-Status: X-Spam-Status: hits=2.9
X-Antivirus: avast! (VPS 0447-1, 11/19/2004), Inbound message
X-Antivirus-Status: Infected
Attachment: \hotmail449.zip Virus: Win32:Sober-H [Wrm] Moved to chest

This is a multi-part message in MIME format.

–==8fedf6159.7575eaee

This mail was generated automatically.
More info about --HOTMAIL-- under: http://www.hotmail.com

Occured_Errors:

234.57.198.38_does_not_like_sender.

248: mailbox_unavailable

279: Remote_host_said:_delivery_error

125: Giving_up_on_234.57.198.38.

391: MAILBOX NOT FOUND

481: This_account_has_been_disabled_[#144].

End

The corrected mail is attached.

Auto_Mail.System: [hotmail]

--* Anti_Virus: No Virus was found
--* MAGMA- Anti_Virus Service
--* http://www.magma.ca

avast! Antivirus: Inbound message INFECTED:
\hotmail449.zip (Win32:Sober-H [Wrm]) Moved to chest

Virus Database (VPS): 0447-1, 11/19/2004
Tested on: 11/21/04 10:33:13 PM
avast! - copyright (c) 2000-2004 ALWIL Software.

phil2sharp · November 22, 2004, 6:40am

Received 3 emails with worm …so has hit Australia as welll.
Thanks avast! they didn’t get through
Cheers! Phil

system · November 22, 2004, 7:34pm

Have since some days up to 10 mails with this nice little add on >:( - no problem so far all caught.
br
Peter

system · December 5, 2004, 1:45pm

Avast works great against this Worm! I live in Germany and get about 5 - 8 of these mails at Yahoo.de. But they never come through thanks to Avast! Great Work there ^^

system · December 18, 2004, 7:58am

Yes & Avast! caught it, but I’m afraid I had an earlier version of it that’s still on my computer. I do have the Windows\System32 file when I did a search for it. Is it safe to delete this file?
Happy holidays everyone!

DavidR · December 18, 2004, 12:08pm

If you are using an NT based OS, like WinXP, then you could schedule a boot time scan.

I wouldn’t advise, deleting anything in the Windows\System32 folder without investigation, once deleted, you could seriously damage your system, try moving it or rename it slightly (assuming windows will let you do it).

avast! should be able to detect earlier versions, but for peace of mind you can check the offending file (the name you didn’t give) at Jotti - Multi engine on-line virus scanner www.virusscan.jotti.dhs.org

Or use one of the on-line scanners as a second check of your system - On-line Virus Scanners and other useful Links Security.Ops.tk