Worm stops spread
The Sober variant dubbed Sober.P by antivirus vendors Kaspersky and Mcafee, Sober.O by Symantec, Sober.N by Sophos, and Sober.S by Trend Micro, abruptly stopped its mass-mailing at midnight GMT on May 9th. During its peak, the only other decline was seen over the weekend of May 7th and 8th, which coincided with the Mother?s Day holiday in the U.S.
According to antivirus researchers at Kaspersky Labs, the Sober.P worm has entered its update phase, during which time the worm downloads files from pre-defined locations, executing those files on the impacted systems, thus launching a new round of malware infection possibly for the purpose of spam.
Social engineering the key
Sober.P relies on simple social engineering in order to compel recipients to open the infected attachment. Though the media has reported that the worm sends itself as an invitation to attend the World Cup, this particular message is extremely rare. Most often, Sober.P sends itself as a bounced/rejected message. Presumably, user?s curious to see what they allegedly sent are compelled to open the attachment, thus becoming infected.
Detection and removal is difficult
Once a system has become infected, Sober.P prevents other programs from accessing its files, thus some antivirus software may be unable to detect its presence on an already infected system. And some antivirus software that may be able to detect the in-memory process may still be unable to stop the process and thus unable to remove the worm.
The free McAfee AVERT Stinger tool has been updated to detect and remove the Sober.P worm from infected systems. However, Stinger can only detect Sober.P if the sytem has been booted in Safe Mode.
Additionally, older versions of Stinger do not detect Sober.P (even in Safe Mode), thus you must download the latest version of Stinger (dated on or after May 2, 2005). While Stinger is an excellent tool, it is designed to detect and remove only a relatively small number of viruses and does not prevent virus infection. Thus it should not be considered a substitute for antivirus software.
The Sober variant dubbed Sober.P by antivirus vendors Kaspersky and Mcafee, Sober.O by Symantec, Sober.N by Sophos, and Sober.S by Trend Micro, abruptly stopped its mass-mailing at midnight GMT on May 9th. During its peak, the only other decline was seen over the weekend of May 7th and 8th, which coincided with the Mother?s Day holiday in the U.S.
According to antivirus researchers at Kaspersky Labs, the Sober.P worm has entered its update phase, during which time the worm downloads files from pre-defined locations, executing those files on the impacted systems, thus launching a new round of malware infection possibly for the purpose of spam.
Social engineering the key
Sober.P relies on simple social engineering in order to compel recipients to open the infected attachment. Though the media has reported that the worm sends itself as an invitation to attend the World Cup, this particular message is extremely rare. Most often, Sober.P sends itself as a bounced/rejected message. Presumably, user?s curious to see what they allegedly sent are compelled to open the attachment, thus becoming infected.
Detection and removal is difficult
Once a system has become infected, Sober.P prevents other programs from accessing its files, thus some antivirus software may be unable to detect its presence on an already infected system. And some antivirus software that may be able to detect the in-memory process may still be unable to stop the process and thus unable to remove the worm.
The free McAfee AVERT Stinger tool has been updated to detect and remove the Sober.P worm from infected systems. However, Stinger can only detect Sober.P if the sytem has been booted in Safe Mode.
Additionally, older versions of Stinger do not detect Sober.P (even in Safe Mode), thus you must download the latest version of Stinger (dated on or after May 2, 2005). While Stinger is an excellent tool, it is designed to detect and remove only a relatively small number of viruses and does not prevent virus infection. Thus it should not be considered a substitute for antivirus software.
SHARE
