Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: W32/Sober@MM!M681

  1. #1
    Member
    Join Date
    Aug 2004
    Posts
    95

    W32/Sober@MM!M681

    I get lot of e-mails generated by McAfee calls it W32/Sober@MM!M681 and Trend calls it WORM_SOBER.AG.

    We are not able to do anything with the spam feature as these are not spam emails as such. These are spam emails generated by Virus.


    Pl. suggest solution

    Thanks all

  2. #2
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    am I to understand that you are getting a LOT of virus loaded mails ?
    that they are known about [hence the McAfee / Trend links]
    and that you are wondering what to do ?

    if your filters are stopping them ? then you need do nothing, bar emptying the filter folder every now and again...

    if they are getting into your inbox ? then add it to your junk mail filter / spam fighter et al and follow the point above.

    HTH
    Pax
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  3. #3
    Member
    Join Date
    Aug 2004
    Posts
    95
    The virus attached is being removed by my trend at the gateway.
    But I do get these spam mailes into our inbox, we want to prevent it completly from coming in. As these are not spam mailes my spam filter is not able to block it.

    is there any way to stop this?

    Thanks for replying.

  4. #4

    CME-681: Sober variant from FBI/CIA etc

    I'm seeing a truly massive amount of activity on a new Sober variant claiming to be from the FBI, CIA or various other agencies.

    It's been tagged as CME-681, see http://cme.mitre.org/data/list.html#681 which is variously:

    CA: Win32.Sober.W
    F-Secure: Sober.Y
    Kaspersky: Email-Worm.Win32.Sober.y
    McAfee: W32/Sober@MM!M681
    Norman: W32/Sober.AA@mm
    Panda: W32/Sober.AH.worm
    Sophos: W32/Sober-Z
    Symantec: W32.Sober.X@mm
    TrendMicro: WORM_SOBER.AG
    F-Secure make a mention of it in their weblog: http://www.f-secure.com/weblog/
    Lots of good links here: http://isc.sans.org/diary.php?storyid=880

    The interesting thing about this one is the social engineer aspect. So, even if you have up-to-date signatures for this particular virus, it's quite likely that the "from the FBI" approach will be used for new viruses too, so perhaps you may want to check out the articles and apply some filtering to your inbound mail as a precaution.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Do you have a policy regarding the treatment of e-mail attachments?

    Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files (executables in other words). If you have no organisational need for attachments you can block the lot.


  6. #6
    Member
    Join Date
    Aug 2004
    Posts
    95
    We need to send lot of data outside in zip attachements.
    The e-mails we have comes with Zip attachement and just plain mails without any attachement.
    We have blocked the other extenstions you have mentioned, but blocking zip will not be in our business interest.

    We do have a very clear policy on e-mail.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I have merged Dynamoo's thread with this one as it seems more sensible to keep all discussions and suggestions together



    anban I am afraid I have only used Trend in home and small business environments. Is there an option to just delete/drop/bounce infected items..............then at least they would not get into your mailbox?


  8. #8
    Zip files are the killer, because we *do* use those, every other type of executable is blocked, although for 1000 users we only receive about 20 zip files a day, almost all of which are sent manually.

    In one of our other regions, they do block Zip files too.

    Ultimately there's a trade-off between user convenience and security, but to be honest I'd be happy to block Zips and have the users manually rename them. The problem is, this is when security meets politics in any business, which is never a good thing.

    (btw shouldn't this be in the Virus forum, not the Adware one?)

  9. #9
    We're seeing a huge flood of virus laden traffic in and out of one of our sites. The gateway scanners may not be picking up on tall he latest Sober variants, as per the Internet Storm Center yesterday, and it is hard to pick out the bad attachments.

    http://isc.sans.org/diary.php?storyid=880

    Somebody released a bunch of stuff just before the long US holiday, just outta sheer meanness. I wanna get my big knife and do some shavin' on the sucker that started this!

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I'm also seeing a large quantity of viruses the past couple of days.

    Sober.AG, Netsky.W, PE_ZAFI.B are the top three, followed by Mytob.LP


    anban, if trend is stopping them for you and you are getting the cleaned emails into the users mailboxes you really have nothing to worry about other than a minor annoyance. You do however, have a couple of options... If you go into your TrendMicro ScanMail for Exchange and take a look at the settings (main pane that opens up)... you'll see options for what to do with different viruses... Change them all to to either Quarentine or Delete... odds are it's just set to clean right now.... I just did this this morning... I'm waiting to see if it helps... I'd select quarentine just incase something valuable get's caught up in the fray....

    Anyways... That should help

    Peace,
    HT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •