Virus

[fauna]

Anyone know what this virus rumour goin round is about I did a search on google I think its called Sober virus?

[Laurie-Anne]

The next Sober virus attack
Don't get burned by viruses and hackers

By Robert Vamosi
Senior editor, CNET Reviews
December 16, 2005

Occasionally, I run across a computer virus or a worm that manages to constantly top itself with new variants. After nearly 20 variations, the Sober virus still amazes me. Beginning January 6, 2006, the Sober virus will launch another wave of e-mail attacks on the Internet. How do we know this? Thanks to diligence of Mikko Hypponen and his antivirus research staff at F-Secure, we know that within an encrypted part of the latest Sober worm is a complex set of instructions detailing several dates on which Sober is likely to make another attack; and thanks to another set of researchers at iDefense, we think January 5 or 6, 2006, either a Thursday or a Friday--just in time to fill everyone's e-mailbox with junk over the weekend--is the most likely of those dates for that attack to occur.

The "bootstrap" effect
Imagine sending a very large and sophisticated virus over e-mail--your ISP or company would certainly stop it dead at the gateway. So, virus writers have started sending out smaller versions that merely infect. Once installed, the small virus then opens a backdoor to call out to the predetermined Web server IP address from which it then loads a more sophisticated version of itself (or it transforms the infected PC into a conduit for spam, ****ography, or a host of other malicious uses). If the small virus downloaded the larger code upon infection, there would be a collision of newly infected machines and second-wave infections, so virus writers have started delaying the second wave by several days or even several weeks.

Imagine sending a very large and sophisticated virus over e-mail--your ISP or company would certainly stop it dead at the gateway.

Early examples of bootstrapping viruses simply put the Web server addresses in the virus code in plain text. Not bright. Antivirus researchers were able to read the Web server addresses and shut them down before a major attack could occur. So the virus writers started encrypting them. Again, antivirus researchers were able to crack the encryption and notify authorities. Perhaps the best-known example of this was Sobig.f, where up to 20 servers were primed to download new code on a preset date. With only hours to go, antivirus researchers were able to crack the encryption, alert the authorities, and shut down at least 18 of the Web servers.

Why Sober is special
Most of the Sober variants use a trigger delay; they install quickly but then sleep for a preset period of time before reaching out and contacting the Internet for a new download. The latest Sober variants, released November 15, 2005, added a new wrinkle: encryption and a random number generator. Using a complex algorithm, Sober produces a series of different dates, each with its own set of Web server ISPs. In other words, every so many days, Sober changes its ISP contact information (using mostly free Web hosts in Germany and Austria). According to F-Secure, the antivirus vendor that first broke the algorithm, these addresses have been mostly bogus; at least the addresses produced do not correspond to live Web servers. The list of probable Web servers changes every 14 days. In looking at the possible combinations of dates and Web servers, security company iDefense thinks that the addresses set to activate January 5, 2006, are particularly significant.

Why January 5?
iDefense relied upon a little social-engineering logic to figure this one out. Previous versions of Sober have struck on dates significant to the National Socialist (Nazi) Party in Germany. For example, Sober.n coincided with April 19, Hitler's birthday. Other variants spread long tracts of NeoNazi propaganda. On January 5, 1919, the National Socialist (Nazi) Party in Germany was founded. Of the possible dates for the next Sober virus attack, iDefense thinks this is the most likely date (although F-Secure now says the date is after January 5, 2006, so it could be January 6, 2006, when the actual attack occurs).

It is believed that the authors of the Sober virus live or work in the Bavarian district of Germany, although whether they believe the vitriol they spam is another matter. The spread of Nazi propaganda could be no more than a cruel Internet joke. For example, Netsky author Sven Jashen (also from Germany) buried snippets of Russian within his code to fool researchers into thinking the Netsky code originated in Russia. Then again, the level of sophistication in each variant suggests professionals, not amateurs, might be behind Sober.

Prevention
It's important to note that your PC must already be infected with Sober before it becomes a foot soldier in this expected January 5 assault. No infection, no participation. So clean your desktop computer now. For corporate systems, it's also important to create firewall rules that block IP requests to the January 5 addresses. According to F-Secure, the addresses to be contacted on January 5, 2006, include:

home.arcor.de/dixqshv/
people.freenet.de/wjpropqmlpohj/
people.freenet.de/zmnjgmomgbdz/
people.freenet.de/mclvompycem/
home.arcor.de/jmqnqgijmng/
people.freenet.de/urfiqileuq/
home.arcor.de/nhirmvtg/
free.pages.at/emcndvwoemn/
people.freenet.de/fseqepagqfphv/
home.arcor.de/ocllceclbhs/
scifi.pages.at/zzzvmkituktgr/
people.freenet.de/qisezhin/
home.arcor.de/srvziadzvzr/
people.freenet.de/smtmeihf/
home.pages.at/npgwtjgxwthx/

At present, these addresses have not been registered. All correspond to free Web host sites in Germany and Austria. Assuming they are real, someone will have to register these addresses before January 5, 2006. Perhaps the individuals responsible will be dumb enough to give away enough personal information to lead to their arrest.

The end of Sober?
So, in theory, a full-scale Sober attack should be a bust on January 6, 2006. Unfortunately, many PCs worldwide are connected to the Internet without antivirus protection. I expect to see some activity but not a full-out assault. Either way, keep your antivirus protection primed over the holidays and install a firewall if you haven't already. And don't be too surprised if you find a ton of junk e-mail in your in-box starting January 6, 2006, or you find your e-mail traffic is a little slower. It's Sober.

[fauna]

Thank you for getting the info Laurie-Anne  O0

[Laurie-Anne]

Your very Welcome.

[DeadSet]

Anyone who hasn't received a prompt to download new updates for Microsoft should go to the site at the bottom of my post and manually install the 1 security update for XP. They were going to wait a week to release the patch but they decided to bump it up because the public was hounding them and some people tried using a patch from a different source that ended up doing damage to some of their machines, this update was just released this afternoon, always good to stay up to date with stuff like this.

http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

-dS

[justahumping]

Thank you

[Jackpotloser]

Thanks for info. My updates are downloaded O0

[adamsmom]

thank you for that info, i have no idea how u guys all stay on top of things like that, i keep my windows settings on automatic updates or my computer would be a mess right now  lol

[Jinx55]

Automatic updates is the only way to go...I keep mine set to download only Critical updates on its own....if I want the non-critical I do them myself
Jinx  8)

[SI]

There seems to be a nasty new bugger running around the 'Net.  The "Cryzip" or "Zippo.a" trojan targets 44 types of files (.PDF, .DOC, .JPG, Office suite, etc..).  After creating a new directory on your computer, it takes all of the files that match the criteria and compresses them into a password-protect file.  It then deletes all of the original files, and leaves a *ransom note* with instructions on where to deposit $300 for the safe return of your files.  These mf'ers are getting a little too brazen for their own good!

http://www.eweek.com/article2/0,1895,1937408,00.asp

The good news is that if you DO get hit with this virus, this Yahoo article has instructions on how to get your files back:

http://news.yahoo.com/s/nf/20060317/tc_nf/42179

[raptors2004]

Automatic updates is the only way to go...

Not really.. I think the best way to go is a good antivirus program but Windows updates is another way to go for sure ;)

[hades]

interesting article

[Helen]

Thanks for the info.

[Tara]

There seems to be a nasty new bugger running around the 'Net.  The "Cryzip" or "Zippo.a" trojan targets 44 types of files (.PDF, .DOC, .JPG, Office suite, etc..).  After creating a new directory on your computer, it takes all of the files that match the criteria and compresses them into a password-protect file.  It then deletes all of the original files, and leaves a *ransom note* with instructions on where to deposit $300 for the safe return of your files.  These mf'ers are getting a little too brazen for their own good!

http://www.eweek.com/article2/0,1895,1937408,00.asp

The good news is that if you DO get hit with this virus, this Yahoo article has instructions on how to get your files back:

http://news.yahoo.com/s/nf/20060317/tc_nf/42179

The part about asking for 300.00 is the first clue somethings wrong  O0