Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Sober Virus (CME-151) SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sober Virus (CME-151)
There are reports on a new variant of Sober going around the net. Different antivirus vendors name it differently. But thanks to CME effort, it is identified as CME-151.

This variant uses different email messages randomly in either German or English. We have received several reports from our readers. One reader submitted to us with the email message as below:

Danke für Ihre Mail ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, nämlich an mich. Ich kenne sie aber nicht!
Oder Ihr Provider hat die Mail falsch weiter geleitet!?
Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zurück.

This virus arrives with one of the following attachment names:
* KlassenFoto.zip
* pword_change.zip

Inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe.

You can check out more details from various antivirus vendors website:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.q@mm.html
http://vil.nai.com/vil/content/v_136390.htm
http://uk.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=WORM_SOBER.AC

Koon Yaw

68 Posts

Sign Up for Free or Log In to start participating in the conversation!