Tenacious W32/Sober.c-mm Attacks:
"Top Virus: W32/Sober.C-mm …
W32/Sober.C-mm is a variation of Sober.A, which hit in late October, 2003. Like its cousin, Sober.C spreads as an email attachment, and uses its own SMTP engine to propagate. The worm harvests email addresses from various files on the victim's system, and can spoof the 'from' field as well, when sending copies of itself. The attachment name is randomly chosen from over two dozen different English or German names, and can have a .bat, .pif, .cmd, .scr, .exe, or .com extension. The message and subject line varies, and can be in either German or English. TrendMicro's analysis of Sober.C has a comprehensive list of the subject, attachment name, and message possibilities. The virus infects when the recipient opens the attachment, making it fairly preventable. "
When Sober.C executes, it creates two copies of itself in the %system% folder (by default is C:\windows\system for Windows 9x, C:\Winnt\system32 for Windows 2000/NT or C:\windows\system32 for Windows XP.) The file names are randomly generated, and the files themselves may be appended with random garbage data to inhibit antivirus detection. It then adds the these names to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
These entries allow the virus to automatically start when they victim's machine is booted.
The virus scans the victim's hard disk for email addresses within database or text based files, and stores them in the %system% folder under the name savesyss.dll. As an indicator of infection, when Sober.C runs for the first time, it displays a fake error message box with the message:
"First" as caused an unknown error. Stop: 00000010x08.
Sober.C guards its position greedily by running two memory processes that watch out for each other. Terminating a virus process is a standard procedure to do before removing the virus. However, if a user terminates only one of the processes, the other process of Sober.C recognizes its mate is gone, and restarts it, making removal difficult.…
http://www.pcmag.com/print_article/0,3048,a=115641,00.asp
skip to main |
skip to sidebar
tips, techniques and resources
Labels
Microsoft
(2)
Bing
(1)
Facebook
(1)
LinkedIn
(1)
Microsoft Office
(1)
Microsoft Outlook
(1)
Twitter
(1)
User Interface
(1)
YouTube
(1)
search
(1)
typography
(1)
Posts
About Me
Blog Archive
-
►
2014
(1)
- ► 02/02 - 02/09 (1)
-
►
2013
(3)
- ► 12/01 - 12/08 (1)
- ► 03/31 - 04/07 (1)
- ► 02/03 - 02/10 (1)
-
►
2012
(20)
- ► 12/30 - 01/06 (1)
- ► 08/12 - 08/19 (8)
- ► 08/05 - 08/12 (8)
- ► 06/10 - 06/17 (3)
-
►
2011
(5)
- ► 10/16 - 10/23 (1)
- ► 10/02 - 10/09 (2)
- ► 09/04 - 09/11 (1)
- ► 08/07 - 08/14 (1)
-
►
2010
(18)
- ► 11/07 - 11/14 (1)
- ► 06/27 - 07/04 (6)
- ► 05/30 - 06/06 (1)
- ► 04/25 - 05/02 (1)
- ► 03/07 - 03/14 (1)
- ► 02/28 - 03/07 (2)
- ► 02/14 - 02/21 (4)
- ► 02/07 - 02/14 (2)
-
►
2009
(12)
- ► 12/27 - 01/03 (1)
- ► 12/20 - 12/27 (1)
- ► 11/15 - 11/22 (1)
- ► 09/27 - 10/04 (2)
- ► 09/20 - 09/27 (2)
- ► 08/16 - 08/23 (1)
- ► 07/26 - 08/02 (1)
- ► 07/19 - 07/26 (1)
- ► 07/12 - 07/19 (1)
- ► 01/25 - 02/01 (1)
-
►
2008
(3)
- ► 04/20 - 04/27 (1)
- ► 02/17 - 02/24 (1)
- ► 01/06 - 01/13 (1)
-
►
2007
(3)
- ► 12/23 - 12/30 (1)
- ► 10/21 - 10/28 (1)
- ► 08/19 - 08/26 (1)
-
►
2006
(11)
- ► 11/26 - 12/03 (1)
- ► 11/19 - 11/26 (1)
- ► 10/15 - 10/22 (1)
- ► 09/17 - 09/24 (1)
- ► 08/13 - 08/20 (1)
- ► 04/23 - 04/30 (1)
- ► 04/16 - 04/23 (1)
- ► 03/26 - 04/02 (1)
- ► 03/12 - 03/19 (1)
- ► 01/15 - 01/22 (1)
- ► 01/01 - 01/08 (1)
-
►
2005
(161)
- ► 12/25 - 01/01 (2)
- ► 11/27 - 12/04 (2)
- ► 11/20 - 11/27 (1)
- ► 11/06 - 11/13 (1)
- ► 10/30 - 11/06 (2)
- ► 09/25 - 10/02 (1)
- ► 09/11 - 09/18 (1)
- ► 08/28 - 09/04 (3)
- ► 08/21 - 08/28 (1)
- ► 08/07 - 08/14 (3)
- ► 07/31 - 08/07 (2)
- ► 07/24 - 07/31 (1)
- ► 07/17 - 07/24 (4)
- ► 07/10 - 07/17 (1)
- ► 06/26 - 07/03 (2)
- ► 06/19 - 06/26 (2)
- ► 06/12 - 06/19 (3)
- ► 06/05 - 06/12 (1)
- ► 05/29 - 06/05 (2)
- ► 05/22 - 05/29 (5)
- ► 05/15 - 05/22 (1)
- ► 05/08 - 05/15 (3)
- ► 05/01 - 05/08 (8)
- ► 04/24 - 05/01 (2)
- ► 04/17 - 04/24 (4)
- ► 04/10 - 04/17 (2)
- ► 04/03 - 04/10 (4)
- ► 03/27 - 04/03 (3)
- ► 03/20 - 03/27 (7)
- ► 03/13 - 03/20 (5)
- ► 03/06 - 03/13 (8)
- ► 02/27 - 03/06 (5)
- ► 02/20 - 02/27 (8)
- ► 02/13 - 02/20 (4)
- ► 02/06 - 02/13 (8)
- ► 01/30 - 02/06 (10)
- ► 01/23 - 01/30 (6)
- ► 01/16 - 01/23 (12)
- ► 01/09 - 01/16 (14)
- ► 01/02 - 01/09 (7)
-
▼
2004
(396)
- ► 12/26 - 01/02 (3)
- ► 12/19 - 12/26 (6)
- ► 12/12 - 12/19 (6)
- ► 12/05 - 12/12 (8)
- ► 11/28 - 12/05 (4)
- ► 11/21 - 11/28 (1)
- ► 11/14 - 11/21 (1)
- ► 11/07 - 11/14 (4)
- ► 10/31 - 11/07 (4)
- ► 10/24 - 10/31 (3)
- ► 10/17 - 10/24 (2)
- ► 10/10 - 10/17 (5)
- ► 10/03 - 10/10 (12)
- ► 09/26 - 10/03 (4)
- ► 09/19 - 09/26 (14)
- ► 09/12 - 09/19 (9)
- ► 09/05 - 09/12 (8)
- ► 08/29 - 09/05 (5)
- ► 08/22 - 08/29 (5)
- ► 08/15 - 08/22 (12)
- ► 08/08 - 08/15 (9)
- ► 08/01 - 08/08 (10)
- ► 07/25 - 08/01 (8)
- ► 07/18 - 07/25 (9)
- ► 07/11 - 07/18 (14)
- ► 07/04 - 07/11 (7)
- ► 06/27 - 07/04 (9)
- ► 06/20 - 06/27 (12)
- ► 06/13 - 06/20 (11)
- ► 06/06 - 06/13 (3)
- ► 05/30 - 06/06 (5)
- ► 05/23 - 05/30 (13)
- ► 05/16 - 05/23 (7)
- ► 05/09 - 05/16 (9)
- ► 05/02 - 05/09 (8)
- ► 04/25 - 05/02 (7)
- ► 04/18 - 04/25 (5)
- ► 04/11 - 04/18 (12)
- ► 04/04 - 04/11 (12)
- ► 03/28 - 04/04 (8)
- ► 03/21 - 03/28 (6)
- ► 03/14 - 03/21 (10)
- ► 03/07 - 03/14 (14)
- ► 02/29 - 03/07 (3)
- ► 02/22 - 02/29 (8)
- ► 02/15 - 02/22 (9)
- ► 02/08 - 02/15 (10)
- ► 02/01 - 02/08 (11)
- ► 01/25 - 02/01 (5)
- ► 01/18 - 01/25 (3)
- ► 01/11 - 01/18 (7)
-
▼
01/04 - 01/11
(16)
- Phishing: Spam that can’t be ignored: "If you hav...
- Novell's Linux Makeover: "Ximian Desktop Boosts S...
- Tenacious W32/Sober.c-mm Attacks: "Top Virus: W32...
- News: Microsoft publishes program to blast MSBlast...
- The Search Engine Report - Number 86: "The Search...
- 20 Tips for Taking Better Pictures Today: http://...
- Security Highlights and Lowlights of 2003: "The c...
- News: Security flaws force Linux kernel upgrade: ...
- Using Microsoft eBook technology to create portabl...
- Symantec Security Response - W32.Jitux.Worm: "W32...
- Ten Steps for Cleaning Up Information Pollution (J...
- Free newsletter - HFI's UI Design Update: "HFI's ...
- Rapid Application Development with Mozilla: Naviga...
- The XML Schema Companion - WebReference.com -: "A...
- O'Reilly Network: PHP Foundations [Feb. 28, 2001]:...
- Can-Spam Law: More Harm than Good? - Tech Update -...
-
►
2003
(302)
- ► 12/28 - 01/04 (7)
- ► 12/21 - 12/28 (16)
- ► 12/14 - 12/21 (12)
- ► 12/07 - 12/14 (18)
- ► 11/30 - 12/07 (8)
- ► 11/23 - 11/30 (9)
- ► 11/16 - 11/23 (4)
- ► 11/09 - 11/16 (28)
- ► 11/02 - 11/09 (12)
- ► 10/26 - 11/02 (26)
- ► 10/19 - 10/26 (6)
- ► 10/12 - 10/19 (11)
- ► 10/05 - 10/12 (4)
- ► 09/28 - 10/05 (9)
- ► 09/21 - 09/28 (7)
- ► 09/14 - 09/21 (9)
- ► 09/07 - 09/14 (11)
- ► 08/31 - 09/07 (4)
- ► 08/24 - 08/31 (11)
- ► 08/17 - 08/24 (14)
- ► 08/10 - 08/17 (11)
- ► 08/03 - 08/10 (11)
- ► 07/27 - 08/03 (7)
- ► 07/20 - 07/27 (11)
- ► 07/13 - 07/20 (10)
- ► 07/06 - 07/13 (8)
- ► 06/29 - 07/06 (6)
- ► 06/22 - 06/29 (4)
- ► 06/15 - 06/22 (3)
- ► 06/08 - 06/15 (4)
- ► 06/01 - 06/08 (1)
No comments:
Post a Comment