We are able to obtain samples of a new variant or the Sober worm through our handy dandy email honeypot system at approximately 8am this morning. Staying true to its Sober-like characteristics, this worm spreads via email and uses its own SMTP engine.
As of the moment, we have an incident count of 300 emails intercepted by the honeypot, and counting.
For further details, refer to the virus report which is now available for your viewing pleasure.
As of the moment, we have an incident count of 300 emails intercepted by the honeypot, and counting.
For further details, refer to the virus report which is now available for your viewing pleasure.
We have received and still are receiving samples of repacked versions of WORM_SOBER.AC. Yes, you read it right, versionS. This means that there are more samples flooding in with basically the same charateristics, yet with various MD5 hashes.
The email details of these repacked versions are different from the previous one. All of the samples from the new wave of WORM_SOBER.AC are packed using the same packer–FSG. These samples have added garbage codes. These garbge codes vary from sample to sample. Samples with the same garbage codes all have the same MD5. The difference in garbage code accounts for the difference in MD5. This is contrary to the initial loads of previous WORM_SOBER.AC samples which are UPX-packed, all with a constant MD5 value.
The email details of these repacked versions are different from the previous one. All of the samples from the new wave of WORM_SOBER.AC are packed using the same packer–FSG. These samples have added garbage codes. These garbge codes vary from sample to sample. Samples with the same garbage codes all have the same MD5. The difference in garbage code accounts for the difference in MD5. This is contrary to the initial loads of previous WORM_SOBER.AC samples which are UPX-packed, all with a constant MD5 value.
In case there’s any confusion here is an explanation on the “REPACKED” version of this worm
For the purpose of discussion, lets call the WORM_SOBER.AC packed with UPX as WORM_SOBER_UPX and the so called repacked version as WORM_SOBER_FSG since its packed with FSG.
When I executed WORM_SOBER_FSG it dropped and executed a copy of WORM_SOBER_UPX. Which means WORM_SOBER_FSG is just a trojan dropper for WORM_SOBER_UPX.
Hope that clears things out…
For the purpose of discussion, lets call the WORM_SOBER.AC packed with UPX as WORM_SOBER_UPX and the so called repacked version as WORM_SOBER_FSG since its packed with FSG.
When I executed WORM_SOBER_FSG it dropped and executed a copy of WORM_SOBER_UPX. Which means WORM_SOBER_FSG is just a trojan dropper for WORM_SOBER_UPX.
Hope that clears things out…
We are now receiving a new version of WORM_SOBER.AC. Insted of FSG it is now packed with MEW.
So we now have
So we now have
- WORM_SOBER.AC (upx packed) – Actual WORM that spreads.
- WORM_SOBER.AC (FSG packed) – Dropper for WORM_SOBER.AC(UPX PACKED)
- WORM_SOBER.AC (MEW packed) – Dropper for WORM_SOBER.AC(UPX PACKED)