Lking Posted November 22, 2005 Posted November 22, 2005 http://www.spamcop.net/sc?id=z829650125z4e...b5b5ab14d56cfcz This is a new one for me. Spoofing the FBI.
Jeff G. Posted November 22, 2005 Posted November 22, 2005 Trend Micro appears to have been first on the block to identify this worm - please see WORM_SOBER.AG for details.
Miss Betsy Posted November 22, 2005 Posted November 22, 2005 Glad to see it has a name! I haven't opened my email yet, but I got 24 (some from the CIA and others wanting me to confirm my password) from 3 to 8 last evening. I actually got one from earthlink several days ago (11/15), but reporting it stopped it quickly. I thought it was a phish, not a worm. Miss Betsy
Jeff G. Posted November 22, 2005 Posted November 22, 2005 The "list.zip" attachment was my clue to its worminess.
Farelf Posted November 22, 2005 Posted November 22, 2005 Well spotted Jeff. W32.Sober.X[at]mm in Symantec talk - they just released their "Live Update" virus definition to catch the thing. Two hours after they unleashed their highly visible "Outbreak Alert!", unfortunately. Following the links to obtain the update in the interim period simply resulted in failure. With a weekly update schedule on Live Update (dial-up connection), doing a manual update between times just interferes with the next scheduled update (have to revert to previous update before it will work). If it's less complicated than that, I have yet to find out about it. All's well that ends well, I suppose and that particular drama is over (pity it wasted so much time though).
turetzsr Posted November 22, 2005 Posted November 22, 2005 <snip> I thought it was a phish, not a worm. 36427[/snapback] ...A worm (noun) which includes a phish (verb), perhaps?
Farelf Posted November 22, 2005 Posted November 22, 2005 ...A worm (noun) which includes a phish (verb), perhaps?36448[/snapback] Infinitely preferable to the noun-noun construction
Jeff G. Posted November 22, 2005 Posted November 22, 2005 More URLs to ponder re this worm: http://securityresponse.symantec.com/avcen...er.x[at]mm.html http://www.sophos.com/virusinfo/analyses/w32soberz.html http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=49473 http://www.f-secure.com/v-descs/sober_y.shtml http://vil.nai.com/vil/content/v_137072.htm
StevenUnderwood Posted November 22, 2005 Posted November 22, 2005 With a weekly update schedule on Live Update (dial-up connection), doing a manual update between times just interferes with the next scheduled update (have to revert to previous update before it will work). If it's less complicated than that, I have yet to find out about it. All's well that ends well, I suppose and that particular drama is over (pity it wasted so much time though). 36445[/snapback] Well, I mainly use the Corporate edition but in my few experiences with the home version, I have never seen this phenomena. Live Update has always worked even with manual updates being done. Often, you can also force a live update manually.
Jeff G. Posted November 22, 2005 Posted November 22, 2005 Also, if you are impatient and don't want to wait for one of those weekly Wednesday updates or for Symantec to decide that a particular update is "important" enough, you can also download the latest regular dated update definition from http://www.sarc.com/avcenter/download/pages/US-N95.html or ftp://ftp.symantec.com/public/english_us_...rton_antivirus/ or one of the rapid release definitions at ftp://ftp.symantec.com/public/english_us_...s/rapidrelease/.
Miss Betsy Posted November 22, 2005 Posted November 22, 2005 Mine all had McAfee_EmailScanReport.txt, though one had dessicated.zip IIRC. However, McAfee didn't tag them in any way. I have had so many updates from them, I don't know what they are doing nowadays. I just hope this doesn't result in spam email following. Miss Betsy
Lking Posted November 22, 2005 Author Posted November 22, 2005 Well Norton finely got around to telling me about the worm I received this morning. Reading their right up mm.html]http://securityresponse.symantec.com/avcen...sober.x[at]mm.html I notices that one of the things the worm does is capture norton's auto update so the worm runs every time you try to update the anti-virus data. Puts real meaning into keeping security up to date, cause if your late, your late.
btech Posted November 23, 2005 Posted November 23, 2005 Equally as puzzling was this spam I got from Hotmail/MSN today: http://www.spamcop.net/sc?id=z829917019z9d...bf0100ea9a7279z I rarely use the address this was sent to and certainly didn't contact Hotmail Sales. makes me wonder if a spammer was email bombing MSN with all kinds of addresses, mine included...
Wazoo Posted November 23, 2005 Posted November 23, 2005 Well Norton finely got around to telling me about the worm I received this morning. Reading their right up mm.html]http://securityresponse.symantec.com/avcen...sober.x[at]mm.html 36486[/snapback] For those coming in late, the URL provided above won't fly due to the filter I put on this Forum to mung e-mail addresses ... it also munged the above URL .. such that the [ at ] needs to be replaced with the [at] sign ... you'll note Jeff G.'s use of a tinyurl redirector to get around this issue in one of his previous posts ....
Farelf Posted November 23, 2005 Posted November 23, 2005 Well, I mainly use the Corporate edition but in my few experiences with the home version, I have never seen this phenomena. Live Update has always worked even with manual updates being done. Often, you can also force a live update manually.36460[/snapback] Thanks Steven, and thanks Jeff! Yes, I usually force the update but on one foray into a manual update (different process from Live Update as you know), I found the Live Update wouldn't work next time. Hunting through the Symantec "knowledge base" suggested reverting to previous definitions and lo it worked. Disappointingly that was the suggested action this time when the actual "problem" was simply a delay in the release of the "special" update and reversion would have done nothing except waste more time. The previous thing was some date-critical aspect of weekly updates, no doubt (Symantec protecting their "investment", instanced also in their pre-emptive quarterly "registration" procedure on an annual subscription). Still, I've been there before, won't hesitate to do a manual update should it seem prudent (I don't rely on them anyway - as "we" know, don't download unknown attachments, don't open them, someone has to get the first example, it might be me. I know enough about probablility to know the odds don't "accumulate" but one has the uncanny feeling that an unlikely event is overdue - like Charles Dickens avoiding the Christmas trains because "there hadn't been enough derailments that year yet". Must be my turn to get something higher than a 5th division Lotto win .) Within minutes of the (outbreak alert special) live update working I received my first email with this worm. But that wasn't at all unlikely.
Jeff G. Posted November 23, 2005 Posted November 23, 2005 Well Norton finely got around to telling me about the worm I received this morning. Reading their right up36486[/snapback] ITYM "write up".one of the things the worm does is capture norton's auto update so the worm runs every time you try to update the anti-virus data. Puts real meaning into keeping security up to date, cause if your late, your late.36486[/snapback] ITYM "if you're late, you're late." To be more specific about how NAV/SAV automatic live updates operate, the default configuration is to check every Wednesday morning and Symantec's policy is to publish every Wednesday morning, and more often when they feel it important to do so. I have different ideas about importance than they do (I consider updates for new highly-publicized highly-virulent outbreaks that I have evidence of in-hand (especially email-borne worms) to be important; they sometimes don't). I also change the default on systems I am configuring to check every morning or night (depending on the situation).
Lking Posted November 23, 2005 Author Posted November 23, 2005 Jeff G the secret is out. Yes, I took english as a second language. My first language was fortran. I agree with your AV update schedule. I also check daily plus "as required" based on what I see going on and how I feel. My update schedule is much different than Symantec's Outbreak Alert which is what I was referring to with a <g> several hours after I received my copy sober.x
Lking Posted November 23, 2005 Author Posted November 23, 2005 In response to my spam report I just received a response from SBC. In addition to the standard part: <snip>Warning! Recent SBC phishing attacks and forgeries: 1. Forged emails claiming to be from the FBI claiming that the FBI is monitoring your traffic. The FBI did not send these e-mails and does not send any other unsolicited e-mails to the public, an agency statement said. As many harmful computer viruses are located in e-mail attachments, the FBI said it strongly encourages computer users not to open attachments from unknown recipients. The FBI is investigating the scam. Recipients of these e-mails are asked to report them by visiting the Internet Crime Complaint Center at http://www.ic3.gov/ <snip>
Wazoo Posted November 23, 2005 Posted November 23, 2005 FBI ALERTS PUBLIC TO RECENT E-MAIL SCHEME For Immediate Release Tuesday, November 22, 2005 Washington D.C. FBI National Press Office E-mails purporting to come from FBI are phony
Miss Betsy Posted November 23, 2005 Posted November 23, 2005 Now I am receiving them from Roadrunner as well as verizon AND my own ISP (who says the headers are spoofed and besides which the IT department won't be back until next Monday. In the spamassassin report it has an IP address for RCVD in SORBS which he says is Roadrunner. He also says that they don't use userid xxx.) spamcop says it is my isp. I could spit nails! Miss Betsy
Lking Posted November 24, 2005 Author Posted November 24, 2005 Computer Worm Poses as E-Mail From FBI, CIA 'Sober X' Web Threat Spreads Quickly By Arshad Mohammed and Brian Krebs Washington Post Staff Writers Thursday, November 24, 2005; Page D01 It's being called the worst computer worm of the year -- a fast-spreading Internet threat that looks like an official e-mail from the CIA or FBI but can leave your computer wide open to intruders. The full Post story is at: http://www.washingtonpost.com/wp-dyn/conte...?referrer=email Gee Miss Betsy I feel left out. I only got 2 copies. (That's not an offer to accept more!)
dra007 Posted November 24, 2005 Posted November 24, 2005 I got the Sober X removal tool from Symantec and run it before I even knew about the break. Sounds pretty nasty...
Farelf Posted November 25, 2005 Posted November 25, 2005 I got the Sober X removal tool from Symantec ...36568[/snapback] Neat - I wouldn't have thought about using those things as a check. Jeff's handy link to the Symantec page is noted above in this doscussion: http://forum.spamcop.net/forums/index.php?...indpost&p=36456, here's another (should work) for those not liking tinyurl: http://securityresponse.symantec.com/avcen...o.cgi?vid=17534 - no I don't work for them.
dra007 Posted November 25, 2005 Posted November 25, 2005 My e-mail gets filtered by Postini then forwarded to Spamcop...I had a few Sober e-mails, oddly enough from Argentina, defanged and trapped in the Postini virus folder this morning... They mentioned Paris Hilton, nothing about FBI.... The Simple Life: View Paris Hilton & Nicole Richie video clips , pictures & more Download is free until Jan, 2006! Please use our Download manager.
Farelf Posted November 25, 2005 Posted November 25, 2005 Yeah, that and the failed delivey one are the types I'm seeing (getting through AT&T). This_is_an_automatically_generated_Delivery_Status_Notification. SMTP_Error_[] I'm_afraid_I_wasn't_able_to_deliver_your_message. This_is_a_permanent_error;_I've_given_up._Sorry_it_didn't_work_out. The_full_mail-text_and_header_is_attached! There was an actual FBI one, caught up in my "graymail", as AT&T insist on calling it.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.