Latest Sober threatens e-mail gateways

The latest Sober worm, first spotted over the weekend, has generated the vast majority of virus-laden e-mail traffic in the past 24 hours and could cause problems for corporate e-mail gateways, security companies said.

This variant of Sober generates e-mails that purport to be from the CIA or FBI. These messages tell the recipient they have been looking at illegal Web sites and should answer some questions in the e-mail's attachment. If the attachment is opened, the computer is infected, and the virus sends copies of itself to any e-mail addresses found on the hard drive.

Allan Bell, the marketing director at McAfee Australia, said that over the past 24 hours more than 90 percent of all virus laden e-mails monitored by its partner Postini contained a copy of Sober.

"(Sober) was generating around 15 million out of 16.8 million (virus-infected e-mails), so about 90 percent of the traffic is this particular virus," Bell said.

Bell called the virus "prolific," saying it is capable of generating large volumes of traffic. That flood could slow or even overload many e-mail gateways, in a way that resembles a denial-of-service attack, which attempts to overwhelm a targeted system with excess data requests.

"When they generate a lot of traffic, they themselves become a bit of a denial-of-service (attack), because your mail gateway needs to process, identify and then block (them). Just processing that stuff can slow everything down and stop good e-mails," Bell said.

British antivirus software maker Sophos said the virus is slightly less widespread than McAfee claims, but admits its effect has been significant. According to Sophos's data, Sober now accounts for more than 65 percent of all virus traffic. That figure has climbed from 35 percent when the company first issued its alert, and makes the Sober by far the most prevalent virus.

Graham Cluley, the senior technology consultant at Sophos said that the virus's clever social engineering had helped it become so widespread: "Every law-abiding citizen wants to help the police with their enquiries, and some will panic that they might be being falsely accused of visiting illegal Web sites and want click on the unsolicited e-mail attachment".

McAfee this morning raised the threat level of Sober to "medium," based on the amount of e-mail traffic it has generated. Other security companies have also raised the alert for the new Sober worm variant.

F-Secure has rated it a Radar Level 1 Alert, which is the highest alert on its three-step rating system. The Finland-based company said on its Web site that "several millions of infected e-mails have been seen by Internet operators over the last hours."

Symantec rates it a "level 3" threat, with level 5 being the most severe. In a statement Wednesday, the company said it has detected more than 1,600 potential threats from among its corporate customers, and over 300 from consumers, since Nov. 19.

Trend Micro, similarly, has issued a "medium" alert.

While the worm variant is named differently by the security vendors, the Common Malware Enumeration system, launched last month, labels the new threat CME-681.

Munir Kotadia or ZDNet Australia reported from Sydney. Vivian Yeo of ZDNet Asia contributed to this report.

[Mr. Network]

We're looking good

Our sonicwalls are bouncing all of them and we're only at about 30% CPU usage which is normal for us.

Bouncing to whom?

If you're bouncing to the sender address, you're as much a problem as the virus itself.

Bouncing to the sender's IP address Mr. Network smart-guy? The virus does not ACCEPT mail.

So unless you a REJECTING the mail in the SMTP dialogue as it is coming in and/or discarding it, you are part of the problem...

[n3td3v]

Media hype again

While this is a threat, its not going to budge corporate infrastructure. Why don't journalists phone up corporations and ask them how badly affected they are on virii, instead of listening to AV vendor's who are reading data from honey nets.

[Mr. Network]

Not really

Having worked for some Fortune 5 companies I can tell you the littlest mailer worm like this can bring corporate networks to a standstill, delaying legit emails up to 48 hours. It's a big deal for large corporations, but not so bad for us

[Tomofumi]

A quick fix...

just add the below lines into your sendmail /etc/mail/access file to block this virus, then you are free from attack:

Admin@cia.gov REJECT
Department@cia.gov REJECT
Mail@cia.gov REJECT
Office@cia.gov REJECT
Post@cia.gov REJECT
Admin@fbi.gov REJECT
Department@fbi.gov REJECT
Mail@fbi.gov REJECT
Office@fbi.gov REJECT
Post@fbi.gov REJECT

[marykn]

Configuration

I would love to try this, but I don't know how. Can you help me? All of a sudden, I'm getting 100s of e-mails a day in Yahoo. I hardly ever had it before. I've checked for a virus and nothing shows up, but I must have something on my computer that I can't get rid of.

[CMatrix]

Hello? Mail server virus scan anyone?

Why is it ISPs can't just run a simple virus scanner to delete (or better yet report to the originating IP) these viruses before they enter users' mailboxes? The domain hosts I use all do this and I only get a few initial email borne viruses when they are just released.

[jfosdick]

Sober Worm Virus

Since November 23, I have received 122 of the type messages noted in the CNET articles. I have not opened any of the attachments. I called my service provider but they couldn't give me any info on how I get them to stop coming to my email inbox. They are still coming but now my Norton Anti-Virus software is deleting the attachments. Will they ever stop???? Joan Fosdick

[duc900rider]

W32 Sober x virus atack on symantec files

My live update kept saying no connection, I manually downloaded the latest signature file and scanned and Norton AV said it found the W32 sober x variant on a few files including the LUall.exe file but it could not fix them. I had to download a special tool from the synmantec site to fix it.