Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Sober Virus Clones Taunt AV Vendors



 By: Ryan Naraine
2005-11-15
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Anti-virus researchers detect a new batch of Sober virus clones seeding botnets for malicious use.

A new batch of Sober virus clones has been spammed around the world to seed botnets for malicious use, anti-virus vendors warned Tuesday.

The appearance of the latest threat comes 24 hours after law enforcement authorities in Germany predicted the Sober mutants would appear as e-mail attachments in German or English.

According to F-Secure Corp., an anti-virus vendor based in Finland, at least four new versions of the virus have been detected. All are capable of disabling anti-virus programs, dropping a Trojan horse and opening a backdoor to connect to a remote server.

The Sober threat first appeared on the Internet in October 2003 and has been used in recent months to spread German right-wing extremist nationalism.

Virus writers have also used the excitement associated with next years World Cup soccer tournament to trick users into executing the virus.

Resource Library:

In the latest attack, F-Secure researcher Alexey Podrezov said the virus writers left a message in the code that taunts anti-virus vendors.

"This time the author of Sober worm changed the encryption algorithm for text strings in the worms body. And he included a message for anti-virus vendors in the worms body basically saying that Use your debuggers, its fun," Podrezov said in an advisory.

Read more here about the Sober virus preying on soccer fans.

The latest version also creates several empty files in the Windows System folder to deactivate previous Sober variants.

"This particular Sober variant checks for the file called filesms.fms, and if such file is found, the worm deactivates itself," Podrezov said.

Upon infection, the virus deactivates security programs installed on the computer, including Microsoft Corp.s Windows AntiSpyware and McAfee Inc.s Stinger.

The virus code includes instructions to use Port 25 to send e-mails and Port 587 to connect to certain Yahoo servers.

McAfees AVERT (Anti-Virus Emergency Response Team) has also spotted four new Sober variants—W32/Sober.s@MM, W32/Sober.t@MM, W32/Sober.u@MM and W32/Sober.v@MM.

McAfee rates the risk to corporate and home computers as "low" and published removal instructions to help affected users.

F-Secure, Symantec Corp. and other anti-virus vendors have also added signatures for the latest variants.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Sober Virus Clones Taunt AV Vendors
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v69yDى)RwjlmMlcR$$1HI٭Η?ٗg*BItzK'%\ BUP o{$K[ kLl}fRK e$5޼yC~4to2]!5MQ5~wT]1Z>u3MpXΛD!H/ԞTa@]2x7 ͷtL&%%Q5EhDQGsoe #B=..Q^ M[ EX'/[vb0F΄ۮT#N%۹ߜqؓ&Ithl5D`IR"fxmSO(ÑcPWMۅT* fF0;k!TKkb=Ƕ<ۥ:>Bc 3IUO_FBK8ɗc`>4*^*GJnUsۏiXNe{ѾޥR rtջ\dQPwZ@ږȫjX8v{>~l_^;r  + VVR1W`jLTW*b}g" SmbAG,{/B+oVo[JGłR KŹY̎kxfV҈ g|^9Bf9Og򳹥}ovzmo^v>1fWCP*]iFȏFժs}ֽ-9k윶{ KtHu Wh: ?N[_lxmķxyjz dPK9LóZ|$3??ݴćZ7N.;$#]Tg䗋%0殺gPMYn_gH&.Ŝa屲(93i)ߖN@·[@8+:?::m&To2 SK_3㡑9nZK}0[#RFp& \ ДAC[ذ 1"% JP,.|i* b q"E[̧ˊgoF".y <=r!DKI88쁉U̯.S3UsqZoV͉*]X]uUjZlBwE?ĴwmkҼ0|UI70igGեn]=&:3 !pN=H)Fp&zTmP`ٮ$UǖA ϛLs%08{Ƀ5z90ݻCiz`y1&Cդw; TgPg ,u]< w@Lgc 6GX[}P S&x KF P P|+sZ( _ g dRJs⣋ 4.g@)AH =im99 ł(#!|e6Os@PGҥ=rsvn4K {TKh!+K@fsf`(4{~4mbBdFN!t(0VRx5Vn-`oJJP8Sƽ XCtH{23L` [P'g*4$b.* dyF0sǮ̇H6(qa6Â0ӊYsƾ sҸF@Mg95,X0N mBB+H5L´Lh@iob?bsYqL9^\%mCl fGaMv"Vn6P0SM|J9;iX+(s7UBsN@B/W2 \_&VAB5 6d:ɤPlg';oW d8$|ree* ?{`ř9 FL@]('{JFJV >zh'>eg HIu+XKnu7RumB$l Cs4 m/2$&@H1ٖk+,:jɯv%& ƐiD+BYMU+VF-埯GݎB߉ |4q`(1Z3l%3Z06XzzI% WlvcSքw&8` {Tu90LwwTzY< ~};݁mrΙ|ppZOcv"O`V$O Or7t%]YXH`+ ģCYR-~T V8| G?!a⢉!O&hӚ<<kjU Bf76p~c8@LsӬ?b((Tk?R=95xA0TNBc$D!2>:ѵo%% gb(OL όEkΗX[WXxN*,7ؘAԙ`xgyϤͬ`#|3{NM{9~k jM|k[; Uɝ:Θ2I1:t<C2v/1Կ,:c2R*?n\ ;+2gP7]?g0MϦ6ѯk0ͮ 2 +3 nxg ܱt CsZ#<;30\>w6EbO 5#CQ&JA~Nt\ŞVڲJ~yb395A?lۥ@qm9.h%2"Թ}XM-60-.T*Ej@B9b]f*ch\U~MITKy},(cʌQ%o(SYMiq#,F.҂^6N31aEl_/q)րݤNTV 禮ouJ-_k~.E̒W-U=9Uu?7Pk䶰Wڽv?bIT˲X\H#UT-Ve%fݳY@Np]Fm g6EKBbُ߯͵8kLw9 =dV^tM$"D:Wm~=/=> 2`i8Fn8$Q!s_^IE {{:;\nymv>-dG4rWU}Z|I{ٽsݖ⽎7΃ u~xuy}|U4FHv6fhmǛ&Ev!,zIa+"TX()oY3 ^8>B3Z07LMEuiřA/PEN Rt4zUr:^ER}ǭ:I󃗉 NANls_ǃu9n1~KP -Mu?oSujikNA"{-~=?+ /䎑i?=:$Sk=\P'i.;ĖSȩ/RB<<qh:ZX. eH5N# YuI@~LN"C]F+$OowӺޞ4<6ޥ]ƙWxvImc%yp:fKe KpkP i2+ c->ϓg|!EY-Vy;9: C>Ex9&QC>u?:Jl; CұgX#;^lwʜW#}`v , KN͓W>2l{Rѵl<>Udnڄ `ֳ|c4GϝN(|v&xm$4.-x9wy!k ?~I 27(4t[ca9E$kRSհ?r%>i]۷uja~%X|O%|$^?} l R>4dXm7:G9ϯtG٫^=h6Ş`44աٿO?eR=Keyc!SǯR٘NBE Bʶ-2NIJf/]L`M#}۾Jf87k^h w44jjݷ0{Kك:rxB5?2i8e~W!BCمmȲܲȥe%(S|-/^Sr>^FE j OKt1ڮ/=a Fuo&m;N]K?`f73F6@08^jɼgTYo ADVΣ~]c~m)gI&rd |* v4..߭[ݚ8)<A~A< vH4)3xؗF}6if;⫆̖u õaV aj8-~b5 ߊ;bE#Ɠtǟ-ۊ&ZQ|=N8S{K4/ kMֿn}cb֚kKLBI qIM{fr+8&/ xۡ+V͢%Kl-1hO ˗xV:F yplR| Lt4+v׬XZgY|:s 'SMѧpgeO*~=*Jt1lrFGra1Mɉ[֑mK Gyx$dUbק$ҥ ۖ >q$Mn>[+_"RM\^ɲ]J"-lv)%r/jY!1ץjc"@x##.&䪈p{1tc~e4b~ v x=Qy ?:)5{zYp!;0ҘZFqrQėtԄ{ E-|:,jȰweXo/iM64qA\~9 LIщfc1ס6cCv6DŽ_PC!,af+$o*!u;۝J=G}dJo!vP1:Cau-27X(\AYף\B:\[_P%|!N. qC,X`Y]I,Dє\*BRUFTlt8Xaqa='^/7bTb'v9yPږ]/Nm&EߖV)>4 5X)(^j:}c\i&wN~Rסzԛ9ŨWbu%%|(e!a$+4q侉~!ؑ?Aԕm3|f|wB>Qk̕:.ԛQ9Ł8P@IϠlɀ omx"e~s;1ZMsJo>USm1 \F>[Y9t{jIRP.6f6,B$"Q11{ HDr4V -V_@89ҕHm)jXնw!c|rB $*A$o*ލ !-ĺeI)JŭZŕ-!q5=LNO(MQ[±Qߖ խknSj'JJIW1l  sCňZ楸3mƥRid0C|O@5O I {`È@@ܽe?TWf]#.7w+J`‹3E W0%G_%usK11aH[vY=ihLr^N\ĥS)lg2>3\jwTp&.RdcYҏ`@;7CD;8!|kL[a;V~ mPmnYpA'ϙ3tcO:όomۿ7uR H"ߚnjuی]ss-G]-KjϩdKwl,iAu"PIT9 q)-QUvX6+1&WQDuo,P5{OGxG4=t)FHb!Rr B9 }mͰ5!ܶek dIrug>w}Qav;(?u5di>$|AyG=v&kJX5Vdu3kn,kT5WOt TJ<R<?T"y!ޕ.hG:4wU ɒWkgt:ӒUky5AXo0@n-Fu9N vгtiSKU9]` }B6*#OFuZ{ ە+O5mgb](@[{`)ِ:T1Z$EX-<3sPzi^wDQ]`=We~H-vl/X@A" B#kBڅqp/yv73`jX`2!b ϖ_=)է SDo6`hœqǖ{[tp;Zv0ڨQ> ¸8smYZd|c]ᥙJ!~(l[9c+@m \-lY[`8̳›፨: +RX_^1˹tj?Хi:+QH_HGlpܙYw&d~O2@04kIY'\ZHec|$!L43+Fș5_=|Zw#98^"O Yg|y }_&?ygȖUx~nuT]ݷ(̋2oe=?]D GP ђ,ÑBuyzUcpd1 MU͵ ?t3+7@e {ds 8:T C__Q¯ţqRt(c`a$$UuImlˁ/ :àԉ,,^wh6/$`a.?`n3v1V>C-2?' &Sv}a0jDpϟY)z;чN W<,w{tTQrc[qSXW2n? @~_tbGv$P.`b1)pA" "6,se5F?P"㻽08QgN'*B0M4>(C^P^)naI{Ed9~dL2Tk,}8ʏj+JK++ ,U y鐱 Z|D, Rxc)Bˉ ʢK:lIﱠ%e3.NUs H"ΉTh,V>5}1MBU9ʯ\y.he,zTdQ<&/ CzljSGuFOSj9*ɥUjTS TkRg׆Òkjbxc;XyVy B;7O.қ0N4s|,TNAxڧڄGC[TcvX],wt~<;A;l%aZ e~2M>) D}jE;׾kZ1/11p1Ñ\օ'c0,nm\.Jsm[Ra )zd0vXߘRF+,kG ň6+O1l|Xa>X(+"\ZWسG>^Z])v(7FWݥ{,cdq .3:_a#i7t]ct3>н^&hփz_ayZ~\`{ c+Kʏ?Y+ 6ǶWcn5Jۅ]aIJ!%N'09P-2Ca6#Dsf8T J}|Csra6ފۓj rKU,?8`hîֿĤ|͈Vs% .FW[`B;|)W'nJiVmI|/\CP |H٫R|.ԔA=Y75 U@+q,තI}h㏂17kukV0'qH;J0_(ޮ hp~3l@1"62?"q:Na\eu , \qx1Y~%\VH;t2.փފ> rF@2-ŐxY'-RWldfB"@ѐ)ulߵ?#?:}׻lzxX2d LpH01wNU `H÷m$? ƒsH,.,+ra S|)ў;:Kx$]'{!uu}cPr8G}8{Ѿ)E J\aHp=S3Z"Q\1@Q>cMp4aBRdPh"?{("`"1/aX9c3bwrM/4z^:$&(/p D {GLƙ;fRWsvuH|H"'B@s ,PV: / j!n Q&@ؔt7QI8:L: ̱=`\xp`%>;Nx̏NN} &pj@Kl͒jg:jTP g>򽉡z0u3cdb[7K RyLb ] 4B<=9Q1jX, =rH?%1btu314OFx` s3fWΟs[>֊_%ߩ;'ݳOݛOm纟i.>-yh5ۼTW6a9)@_NQʩ٤֘ksYx9% e w8l1'Q_n(E_VC,aW~Kab^9)oݶ{B:R[AiYW'>pȩh5 >r:X)FIc csx@C| k_O{4׊e[)?C)B)>JB~7%9> hpN?@Oa}E'Ӽe|_'\C;)iK_05R J _^ sB+*+ϫJO?Bǔ ȿH#% Ra|S:E~aSƯ _)&?nMJ[{/>_?@/?}Hᯏ1-GA]Z>] Aw)ݥ_|y[)rֺ)IJ~9,S ?EUOXi7)ZeM +L)W~y>E{+sg+i,W>s+,/_xڞpڭ&])hq_l %^a/TZE/ވM.^AQyE#BhtoD.s$&}:=ϯ1پWߕ\~SnE+tžbtϧXE 'sNl>mJ16|da)N9|, 5½KqǜZ?|k2?5È8{o\pm`㦠ǻ݌ē-/:)7p{Zwy\wڝZWueaDb;w oCdr'+8yY(xZLxE6ޢ@ 8r0׀x7Oyj#ni~mz' Cڷ׭M}%Zi>ooxԉEBg`X0H-M ԳCq`F}kMNtWQfȺTÅzn m{ F43$ qfCR*J*Wj%SnO;E"[88zH4 c/yEVjrg lKU|F((|D!em䫄:^q豛<Hа-}"z•^>"K;h >x fy!XmBp`Ly ގd@tLDP1Jb/qܶ`lr#A>R`ϼy3s4L&\͠mC ؒET[? lS.ГQ6M=,T~f.g- ȰGsЮǫcaQr P_3l1@өzRx4Idp!gB-ZӋ*q$,d8Ȳn&TXM (lylXȋ$7SUedHr {g#GCL3q|Ċh !2TSЋuMG۽la.Nm8 q.`ߛN$4.>n k?iKo&a5m"H~ZRSڌiEǤA{֣kX#&[ 91ۿ*aՍP˜hD8ٷ]y ůD|݅NM{Kxbsa`)O78 =M5qzTϵʱ DixwUWw-B^""d` OcL/=U22ƻBo.;Hm26Xq?IhBv]!6 {Q|3Ұfk];Nx`tқ{`&<-},|b/^B);=#50жﱟcOio@E!X3W]dA_d|bOh6MxYUm&$Ͱq;ܷ-SFƒ_1#;쭠D  Vi vnImEܐm΄x{pIC >wv U1^{ #E3d 7^5J(KF{A}F^/ )4Mϫ΢R[JW*AԹX.vZVAM5ƋY,&A/_| (gH2G!QYܱߞR TDO"Ntx>m$Koe'-Yn @6a; g"Iůg_t?PɖX) w|oW|D,{{kl`[? 1-^P')1&,M K4U|ٱsW>ebV.qdf [ޓ-[$@<}kc'pGEi#$W @ =ۉnzTU^X ($ Lw^*ZF'2Uԭ(??_C~&?{c5VQޮ7G mݰ+Q`W*&nuywDuu\7(G]e#FP1\9ov$6ѿ9V0|:,lp/~wϏp`3[uZ=7g[8KqJ y2 ! ZxyU~ҥ^pJq1vLb9;E"N%%6$`gm50X$1#(R9 *t7}NaN*σolH"<-SۙPSG >GG # .^ C-Z7vckV"q)s0"Ksg z| Êk|FYKqm}&'6a]`|8ueHQSLJ)nQg G׀ T4<|k}X O!0cWB Y(-f1%DpR&799I}&sxL(+67v!GlpMK-м|v*?gA-8rTx|'$N)VRL_XЛ_Q>1/4Uk<]oQ?8{q:zT{oُw(u?iqꐁ`}/?uQncK#=C'2콡&0B d/aj!OpI)@5Xk<qdu Pb#t;QwgP  O3yB9fy?["Xh(u9~_nS4nOp5\\-_9h4${K0f'mPب ZyHA͟V6/ $ p4b TRB9sA1@4v;1! K֌G0$s`XGX5JiaT  o]֩EBh /jv?`JF>%ڋ^c xC{YEq^Q=ijl<x%Wr572LP `"8u_d5jp=N/4\oDkA*+PU,-fD'X ʎyƫO ztX%vȟ &KN:ﯻm;^^苍 GYľwj1*gxxEcf1:q}iQ\HT=h"E+fBjV %OA,`t@Odc` Du`S!ɂE4C_yEba NW}/>p3\Vr-F`xOw uc T=>jnB>6VOSYk6R7Kx BdڶNK =ѿA {C4G>7/~l*'sç&вz>ز@,ZXd[ulI0i-[la=JK1< =Gx,sL cR9_B͞[mdC,긬\x#ɼ1~<5LN`4n H妍i1r0dcxov!BȠ!m*L=AMt|}3Uj6GZi5~,(waY\vLDH}$Zky TÓg8A@HW BN?b[hDg$eT$JMP,[~XA"0aȅ5EgHRMԄE}Kv%fJhxjay0TF^ѳvu5$PBO1|ӈs4u_,ȻU,}zUe HoڧU]m!wZ1 ,qN2D,sVɊ`_fKœ\X8p5ֆo*5Oc*Ӄ% <:`QErO|YG&s ,%Q[cN=`[%^}l'q((8(|#q/ ϊTݐ/:?0"!{_R3tGZZnG%Qpр;.Y"L"L"%0ҩi{4iv4]2TO8.a;P4’Gx\٫)UnFCODkAtɾ?]Wt޺\~:Z(y?^}ڽ''ӟv?\IAAytNqVޞ 'Ms>^B5Vfo=a86g~ *\%xR B5PD7HuƤ7c,)Z2[82tl٦yY(9ʍ8൅mJߥTeFJdgpp2 +mòF7A1