There are very interesting details in Trend Micro's writeup.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FS
OBER%2EAD&VSect=T

i.e. it uses its own SMTP server plus a hardcoded list of accounts and
IDs at 27 ISPs, and that it terminates the Microsoft Windows Malicious
Software Removal Tool.

It may be worth mentioning that the BANNAME list that Darin provided
will be useful for those of us using F-Prot only, as they are still not
detecting the variant I've been receiving since this thread started.

Andrew 8)
 

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> Sent: Tuesday, November 15, 2005 6:05 AM
> To: Declude.Virus@declude.com
> Subject: Re: [Declude.Virus] New Sober to be released, 
> possible variation?
> 
> Most the new Sober variants are expected to be low volume, so 
> I'm not surprised that Netsky.P continues to outstrip them.
> 
> Security vendors are varying as to what they are detecting 
> with 6 new Sober variants yesterday and today.  Best bet is 
> to ban the files at least until virus definition files have 
> caught up.  We keep the bans in place for the usual overlap 
> in new variants.
> 
> Darin.
> 
> 
> ----- Original Message -----
> From: "Markus Gufler" <[EMAIL PROTECTED]>
> To: <Declude.Virus@declude.com>
> Sent: Tuesday, November 15, 2005 8:44 AM
> Subject: RE: [Declude.Virus] New Sober to be released, 
> possible variation?
> 
> 
> Thank you Darin.
> 
> just curious after watching our virus logfiles today
> Anyone else can confirm that there are only a few of the 
> today new virus and
> far more netsky (most .p variant) showing up in the logfiles?
> 
> Today I've had some reports that certain varaints of the new 
> virus slipped
> trough while it was definitively catching some others.
> 
> Markus
> 
> 
> 
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> > Sent: Tuesday, November 15, 2005 2:33 PM
> > To: Declude.Virus@declude.com
> > Subject: Re: [Declude.Virus] New Sober to be released,
> > possible variation?
> >
> > I just went through all of the reports.  Here's a list of new
> > filenames to
> > ban:
> >
> > # Added 11/15/2005 to handle new Sober.R, S, T, U, V, W variants
> > BANNAME email_photo.zip
> > BANNAME excel_table.zip
> > BANNAME liste.zip
> > BANNAME reg_text.zip
> > BANNAME registration.zip
> > BANNAME tabelle.zip
> >
> >
> > Darin.
> >
> >
> > ----- Original Message ----- 
> > From: "Doug Anderson" <[EMAIL PROTECTED]>
> > To: <Declude.Virus@declude.com>
> > Sent: Tuesday, November 15, 2005 8:24 AM
> > Subject: Re: [Declude.Virus] New Sober to be released,
> > possible variation?
> >
> >
> > Looks like varying attachment names. I got one thats excel_table.zip
> >
> > ----- Original Message ----- 
> > From: "David Dodell" <[EMAIL PROTECTED]>
> > To: "John T (Lists)" <Declude.Virus@declude.com>
> > Sent: Tuesday, November 15, 2005 6:50 AM
> > Subject: Re: [Declude.Virus] New Sober to be released,
> > possible variation?
> >
> >
> > > Monday, November 14, 2005, 10:50:00 PM, John T (Lists) wrote:
> > >
> > >> Sophos is now calling it Sober-R.
> > >
> > > Possible variation received this morning ... the text discussed
> > > receiving a problem email, and the attachment was email_photo.zip
> > >
> > > ---
> > > This E-mail came from the Declude.Virus mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.Virus".    The archives can be found
> > > at http://www.mail-archive.com.
> > >
> > > [This E-mail scanned for viruses by Declude Virus]
> > >
> > >
> > >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".    The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > This E-mail came from the Declude.Virus mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.Virus".    The archives can be found
> > at http://www.mail-archive.com.
> >
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".    The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.Virus".    The archives can be found
> at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to