Top Stories   |   Forums   |   Cpop   |   Jpop   |   Kpop   |   Drama, Film & Television   |   Misc
Asian Music Realm
Welcome Guest [Log In] [Register]
We hope you enjoy your visit.

You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.

Join our community!

Visit Website

If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
Another Virus Alert. (Parts one and two)
Topic Started: Nov 23 2005, 07:10 PM (74 Views)
Seoul Survivor
Thanks Jay!
[ *  *  *  *  *  *  *  *  *  * ]
OK, the last one I put up was a sham, But our IT director posted this for us(ALSO see the CNN link at the end for another one!):

This is an MX Logic Email Threat Alert Notification. This message has been sent to you due to a possible email threat that could affect your organization. If you have any questions please contact us at +1.720.895.5700.


Another Sober Variant Hits the Internet

W32/Sober.Z is a mass email worm. MX Logic considers this a HIGH RISK VIRUS due to the high number of instances we are seeing.

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own SMTP engine.


Solution/Workaround

MX Logic currently provides protection from this worm for customers who subscribe to MX Logic's virus scanning service. We are also blocking this worm at the MTA level for those customers who are not subscribed to this service.

This worm is also known by the following aliases:
W32.Sober.X@mm
Email-Worm.Win32.Sober.y
W32/Sober.AH.worm
Email-Worm.Win32.Sober.Y
WORM_SOBER.AG


W32/Sober.Z Technical Description

This worm propagates via email using Simple Mail Transfer Protocol (SMTP).

The email it sends out contains the following characteristics:

Subject: (any one of the following)
• hi,_ive_a_new_mail_address
• Mail delivery failed
• Registration Confirmation
• smtp mail failed
• Spam: Registration Confirmation
• Your Password
• Your IP was logged
• Paris_Hilton_&_Nicole_Richie
• You visit illegal websites

The message body will be randomly chosen from several different possibilities which are part of the worm payload.

Attachment: (any one of the following)
• mailtext.zip
• mail.zip
• reg_pass.zip
• mail.zip
• reg_pass-data.zip
• question_list.zip
• list.zip
• downloadm.zip
• mail_body.zip

The attached .ZIP file contains the copy of W32/Sober.Z using the file name
File-packed_dataInfo.exe

When executed, W32/Sober.Z displays a fake error message box in order to trick a user into thinking that the file did not properly execute.

W32/Sober.Z searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.


For specific information on removing this worm, please visit:
http://vil.nai.com/vil/content/v_137072.htm

If you are interested in subscribing to MX Logic's virus scanning service, please call MX Logic Sales at +1.877.MXLOGIC (+1.877.695.6442) or email sales@mxlogic.com.
#30#

And this:
http://www.cnn.com/2005/TECH/internet/11/2...m.ap/index.html

//Seoul
Offline Profile Quote Post Goto Top
 
MinJun
Advanced Member
[ *  *  *  * ]
thanks Vic, this new sober one is really bothering my mailbox these days.

to check if you're infected or not you might download the new version (22.11.2005) of the "stinger" tool from mcafee. it's free and needs no installation.

Stinger v.2.5.9
http://vil.nai.com/vil/stinger/

stinger is able to detect the following bad guys and their variants:
BackDoor-AQJ
BackDoor-ALI
BackDoor-CEB
BackDoor-JZ
Bat/Mumu.worm
Downloader-DN.a
Exploit-DcomRpc
Exploit-LSASS
Exploit-MS04-011
HideWindow
IPCScan
IRC/Flood.ap.dr
IRC/Flood.bi.dr
IRC/Flood.cd
NTServiceLoader
ProcKill
PWS-Narod
PWS-Sincom.dll
W32/Anig.worm
W32/Bagle@MM
W32/Blaster.worm (Lovsan)
W32/Bropia.worm
W32/Bugbear@MM
W32/Deborm.worm.gen
W32/Doomjuice.worm
W32/Dumaru
W32/Elkern.cav
W32/Fizzer.gen@MM
W32/FunLove
W32/IRCbot.worm
W32/Klez
W32/Korgo.worm
W32/Lirva
W32/Lovgate
W32/Mimail
W32/MoFei.worm
W32/Mumu.b.worm
W32/MyDoom
W32/Nachi.worm
W32/Netsky
W32/Nimda
W32/Pate
W32/Polybot
W32/Sasser.worm
W32/Sdbot.worm.gen
W32/SirCam@MM
W32/Sober
W32/Sobig
W32/SQLSlammer.worm
W32/Swen@MM
W32/Yaha@MM
W32/Zafi
W32/Zindos.worm
W32/Zotob.worm
Posted Image
Offline Profile Quote Post Goto Top
 
BUDDiE
Member Avatar
chee -- cina
[ *  *  *  *  *  *  *  *  * ]
dang, so many alias and other features of this virus - gotta keep good watch out but i never open any attachments and such

THANKS FOR THE WARNING!!
--Cina.
BUT ORIGINALLY
--Chee.
Offline Profile Quote Post Goto Top
 
Seoul Survivor
Thanks Jay!
[ *  *  *  *  *  *  *  *  *  * ]
Thanks Minjun!!

//Seoul
Offline Profile Quote Post Goto Top
 
Angus Mac
Member Avatar
Resident Watchdog
[ *  *  *  *  *  *  *  *  * ]
Thanks. That explains all the spam I got on Saturday and Sunday.
Woof!
Offline Profile Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · General Chat · Next Topic »
Add Reply

Welcome Guest [Log In] [Register]
Asian Music Realm