Virus alert: sober.j launches attack Thread poster: Natalie
|
|---|
Natalie 
Poland
Local time: 07:27
Member (2002)
English to Russian
+ ...
MODERATOR SITE LOCALIZER
Sober.j prevention and cure
Takeaway:
This common e-mail virus is reportedly spreading rapidly, mostly in Europe
By Robert Vamosi
Senior Edition, CNET Reviews
The worm Sober.j is an e-mail virus spreading rapidly, mostly in Europe, written in both German and English, that attempts to install a backdoor Torjan horse.
Sober.j ([email protected], also known as Sober.i) arrives as an e-mail from someone you might know. The attached ... See more Sober.j prevention and cure
Takeaway:
This common e-mail virus is reportedly spreading rapidly, mostly in Europe
By Robert Vamosi
Senior Edition, CNET Reviews
The worm Sober.j is an e-mail virus spreading rapidly, mostly in Europe, written in both German and English, that attempts to install a backdoor Torjan horse.
Sober.j ([email protected], also known as Sober.i) arrives as an e-mail from someone you might know. The attached file is either an exe or zip-compressed file. The e-mail has various subject lines and body texts, so it's best to simply avoid opening attached files unless you are certain of its content. Sober.j does not affect users of Mac OS, Linux, or any other operating systems. Because Sober.j spreads via e-mail, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
Sober.j arrives as an e-mail with various subject lines and body texts written in either German or English. The attached file is either a pif, zip, or bat.
Once running, Sober.j creates a bogus error message:
"WinZip_Data_Module is missing ~Error: {[random number]}"
It also create files named by combining three of the following with the extension .exe:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
For example, Sober.j would create files like these:
datadiscspool.exe
cryptdata.exe
runsms32.exe
The names are also used in the Registry key listings, for example:
HKLM\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
HKCU\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"
According to McAfee, the worm creates the following files in the Windows system folder:
clonzips.ssc (78,090 bytes)
clsobern.isc (77,738 bytes)
cvqaikxt.apk (0 bytes)
dgssxy.yoi (0 bytes)
nonzipsr.noz (77,738 bytes)
Odin-Anon.Ger (0 bytes)
sb2run.dii (0 bytes)
sysmms32.lla (0 bytes)
winexerun.dal (1,779 bytes)
winmprot.dal (1,832 bytes)
winroot64.dal (672 bytes)
winsend32.dal (1,779 bytes)
zippedsr.piz (78,090 bytes)
Prevention
Do not open e-mail attached files unless you are absolutely certain of the contents. If you must open an attached file, save it to your hard drive first, then have your antivirus scanner process it before opening.
Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see
http://www.sophos.com/virusinfo/analyses/w32soberi.html
http://www.f-secure.com/v-descs/sober_i.shtml
http://vil.nai.com/vil/content/v_130130.htm ▲ Collapse
| | | | | Sorry but... | Nov 19, 2004 |
...I can not believe there are still people that open so a file?
where is the problem?
It is the same old shoe.
Danger comes from emails where you do not need to do anything or urls where simply visiting it can infect you, but a "Pif" file? please, I hope there is no one translator so naive to open it.
Rgds
| | | | | "Someone you might know" is the problem! | Nov 22, 2004 |
The advice about saving the file onto your harddisk and having your virus program check it is the most important. (And you have, of course updated your virus program this morning?
I get files from lots of people - most of my jobs among other things... and if a new outsourcer contacts me, or one of my colleagues has an address I don't know by heart... Translators get files from everywhere!
It's not stupid if you get a mail you don't recognise at once, but do remember the... See more The advice about saving the file onto your harddisk and having your virus program check it is the most important. (And you have, of course updated your virus program this morning?
I get files from lots of people - most of my jobs among other things... and if a new outsourcer contacts me, or one of my colleagues has an address I don't know by heart... Translators get files from everywhere!
It's not stupid if you get a mail you don't recognise at once, but do remember the simple safety routine, even when you think you trust the sender!
Besides, even your best friends and most trusted agents may have 'caught' a virus by accident. I've learnt the hard way! So check them anyway...
Thanks for the warning, Natalie! ▲ Collapse
| | | | | It's even more dangerous... | Nov 23, 2004 |
Hi everybody,
I just got a mail from hotmail (at least that's what was written as sender), subject: Your password. I never had anything to do with hotmail but being curious I opened it and there was - right - a zip-attachment, hotmail.5078.zip. So far ist was "normal" but the end of this mail was
"*-*-* Anti_Virus: No Virus was found
> *-*-* FONI- Anti_Virus Servic... See more Hi everybody,
I just got a mail from hotmail (at least that's what was written as sender), subject: Your password. I never had anything to do with hotmail but being curious I opened it and there was - right - a zip-attachment, hotmail.5078.zip. So far ist was "normal" but the end of this mail was
"*-*-* Anti_Virus: No Virus was found
> *-*-* FONI- Anti_Virus Service
> *-*-* http://www.foni.net"
which meant - to me - that this mail had been checked by my provider's antivirus system. I was astonished to read this and forwarded the mail to my yahoo- and Czech addresses - and, oh wonder, both of them detected this sober-worm.
So I wrote a letter to foni and asked how this "No Virus was found" came into my mail and they told me that it's more and more common for virus-writers to include such messages...
So be on your guards more than ever and don't trust anyone and any mail (isn't it really a shame?!)!
Charlotte
PS Any attachment which has about 78 KB seems to be suspicious
[Edited at 2004-11-23 18:20] ▲ Collapse
| | | | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » Virus alert: sober.j launches attack | CafeTran Espresso | You've never met a CAT tool this clever!
Translate faster & easier, using a sophisticated CAT tool built by a translator / developer.
Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools.
Download and start using CafeTran Espresso -- for free
Buy now! » |
| | TM-Town | Manage your TMs and Terms ... and boost your translation business
Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.
More info » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
