 |
Company News
New Report on the Sober Triggered Action in January
Tue, 13 December 2005
H+BEDV Antivirus Labs specialists warn today against the recently reported Sober triggered action at the beginning of January.
Thorough technical analyses have led to new findings: H+BEDV virus researchers have disassembled the worm’s code, simulated Sober’s anticipated actions in January and tried to make a positive identification through behavior analysis. Finally, it turned out that Sober does have a specific payload to carry out in a few weeks time, but not on January 5, as specialists had claimed last week, but on the 6th.
According to H+BEDV antivirus experts, the worm synchronizes the time via the NTP protocol. This translates to all the infected computers being updated at the same time, regardless of the local time on a specific system. Therefore, it will initiate the update routine on January 6, UTC 00:00. In other words, all systems previously infected by Sober will start an update process simultaneously, be it midnight in London, 1:00 am in Paris and Berlin, or 3:00 am in Moscow.
For its update routine, Sober connects to a series of URLs, from where it downloads certain files. Virus researchers have found that this list changes every 14 days and that it includes 15 URLs. Should the update cycle continue, the worm would have to check no less than 25 different lists by the end of the year, corresponding to 375 URLs hosted on the following domains:
people.freenet.de
scifi.pages.at
home.pages.at
free.pages.at
home.arcor.de
At the moment, the exact URLs do not exist, but the virus author may create them just a few minutes before the content is uploaded and prior to the update being triggered on the Sober-infected systems. However, H+BEDV antivirus researchers are constantly monitoring the above-mentioned domains and any information regarding Sober-intended URLs will be disclosed promptly.
Considering the magnitude of the Sober.Y blitz on the Internet since the beginning of November, the consequences of this worm’s planned actions would be difficult to assess in realistic terms. In order to prevent another blast of infections or any traffic clogging, H+BEDV Antivirus Labs specialists urge computer users to keep updated AV shields up and running at all times. Furthermore, our virus experts recommend all those who do not use a security solution and might be in danger to download and run AntiVir Removal Tool for Windows, a free application designed to detect and remove this calamitous threat.
About H+BEDV Datentechnik
H+BEDV Datentechnik GmbH is specialized in developing cross-system business security solutions since 1988. Its clients include leading national and international enterprises, both for-profit and non-profit, as well as various educational institutions and public entities.
Besides its extensive product portfolio for Microsoft Windows systems, the company is a growing technological leader in the growth market for Linux operating systems. H+BEDV Datentechnik GmbH already offers high-performance solutions for file servers, Web servers, mail servers and workstations.
The AntiVir scanner was again awarded the Virus Bulletin 100% Award in 2005 and has a current certification by the German quality assurance authority TÜV.
In addition to its own distribution channels, H+BEDV Datentechnik GmbH has a comprehensive network of resellers in Europe and throughout the world. The company also works closely with the German Federal Office for Information Security (BSI).
Company Contact:
Adela Kohl/Gernot Hacker
H+BEDV Datentechnik GmbH
Lindauer Str. 21
D-88069 Tettnang
Telephone: +49 (0) 7542-500 0
Fax: +49 (0) 7542-525 10
Email: presse@antivir.de
Press Contact:
Jacklin Montag
Lewis Communications GmbH
Baierbrunner Strasse 15
D-81379 München
Telephone: +49 (0) 89 1730 19 19
Fax: +49 (0) 89 1730 19 99
Email: antivir@lewispr.com
 Print this page
|
|
Company 
