Sober

Hey all,

So I consider myself to be tech savvy, work with media and technology, but…I have a question about this round of Sober viruses.
One day, all of our email accounts in our office started getting a huge amount of spam with the sober virus attached. Avast catches the bugger, and it gets deleted. However, the email addresses that are delivering this spam have become, close to, or similar to those in our address books, including my own email address. I understand that this is what the virus does when it infects a machine, stealing addresses and sending them off with ye olde virus, but…if avast is catching it, how is it still stealing our addresses?
I have run avast, and trend micro, and nothing comes up as infected…
Can someone give me a clue as to what’s going on? We have a pretty big network, and can’t really afford something to go running wild.
Thank you for your help.
Chad

Please go here HERE to read some about what the sober does. I am not much help otherwise. :slight_smile:

what’s even stranger is…the version is Win32:Sober-AB2 and i cannot find it on symantec.com…strange indeed, but thank you for your help…any other help would be great…
cheers…
chad…

Hi video-geek,

First you look for sysmptoms of a sober infection: files like winsend32.dal, winroot64.dal, cvqaikxt, apk, symms32.lla, agssxy, yoi, zippedsr.piz, nonzipsr.noz, winexerun.dal etc, etc mean infection.
See info here: http://www.emsisoft.de/de/malware/?Worm.Win32.Sober.I
For an in-depth analysis go here:
http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=107265
New variants may arrive as zip files. There is no danger as long as the zip file is not opened. Spam from other sources infected with Sober is aso possible, and I hope for you that is what it is.

greets,

polonus

thank you mate…
i think we’re going to be okay…but there are still some questions that i will figure out…
cheers…
chad…

Symantec calls this one W32.Sober.X@mm, you can read about it here. http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html