Win32:Sober-N

Hi all. My wifes computer seems to have Win32:Sober-N despite having Avast installed.

How do I get rid of this virus? Avast doesn’t seem to recognise it?

Many thanks

avast! does detect Sober.N. Make sure that it is up-to-date.

Symantec have a Sober removal tool which will remove the infection: http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html

Ok this is weird.

I ran the Symantec tool to kill the Sober-N but it says it cannot find the virus!

So Avast comes up with the warning dialogue box message saying Don’t panic blah blah Sober -N Wrm detected in message… I click delete and then in the inbox appears a message with subject text:

[avast - INFECTED] your email was blocked

This is the body of the email:

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

*** Server-AntiVirus: No Virus (Clean)
*** “BEAUTYBYCORINNE.COM” Anti-Virus
*** http://www.beautybycorinne.com.au



avast! Antivirus: Inbound message INFECTED:
\error-mail_info.zip#1997431942 (Win32:Sober-N [Wrm]) Moved to chest

Virus Database (VPS): 0518-3, 04/05/2005
Tested on: 5/05/2005 7:15:23 PM
avast! - copyright (c) 1988-2004 ALWIL Software.
http://www.avast.com

Does this mean in fact the PC is not infected with Sober-N and avast is blocking it?

If so why in the last 24hrs have there been about 30 emails to my wifes address from all weird email addresses trying to send this virus?

Any help appreciated.

That means that avast! has blocked it before it could do anything.

If so why in the last 24hrs have there been about 30 emails to my wifes address from all weird email addresses trying to send this virus?

Someone she knows or has comunicated with has her email address in their addressbook has an infected computer and is sending out infected emails with forged from email addresses.

Ok thanks guys.

Anyway of telling who is sending the messages so we can let them know?

not likely as the e-mail addy is spoofed

It is very difficult to tell but it is possible to examine the email headers to track the rout taken by the email.

Even if you did manage to track down the originating ISP’s email server it won’t tell you who sent it. It would be total guess work and a bit of a waste of time and sending emails to either everyone on your addressbook or only those with the same originating ISP domain name would only serve to add to email traffic.

Try goind to http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm and let them check your system out.