Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Virus Advisory: McAfee Avert Raises Risk Assessment to Medium on New W32/Sober.d@MM Worm

  • 09 March, 2004 08:27

<p>For further information or comment, please contact Allan Bell directly on the details below:</p>
<p>Allan Bell - Marketing Director,
Network Associates
0412 411 929 or
02 9761 4229</p>
<p>McAfee AVERT Raises Risk Assessment to Medium Based on Increased Prevalence</p>
<p>SYDNEY, March 9 - Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus research division of Network Associates, raised the risk assessment to medium on the recently discovered W32/Sober.d@MM, also known as Sober.d. Sober.d is a prolific worm that spreads via email, sending itself to addresses found on the victim's machine. The worm has many of the same functionalities as its W32/Sober.c@MM predecessor. The worm was first reported to McAfee AVERT researchers earlier today and to date, McAfee AVERT has received more than 100 reports of the virus in the wild. Most of these reports have been from corporations in Europe, with a majority coming from Germany.</p>
<p>Sober.d is an Internet worm that once activated, emails itself to addresses found on the victim's machine. The worm contains a hoax type social engineering technique, which includes an outgoing message that claims to contain a patch by Microsoft for the W32/Mydoom@MM virus. The message is written in either English or German, comes in the form of an .EXE or .ZIP file and contains a varying filename. User's would need to manually run the attachment in order to be infected and should immediately delete any email containing the following:</p>
<p>From: (sender )@microsoft.(country ) where sender is taken from the following list:</p>
<p>-- Info</p>
<p>-- Center</p>
<p>-- UpDate</p>
<p>-- News</p>
<p>-- Help</p>
<p>-- Studio</p>
<p>-- Alert</p>
<p>-- Security</p>
<p>And country is taken from the following list:</p>
<p>-- de</p>
<p>-- ch</p>
<p>-- at</p>
<p>-- il</p>
<p>Subject: Varies, and contains random characters. For German and English messages respectively, the subject line starts:</p>
<p>-- Microsoft Alarm: Bitte Lessen!</p>
<p>-- Microsoft Alert: Please Read!</p>
<p>Body of email: Here in English and received by those with a .de email address in German</p>
<p>Email Body Text: New MyDoom Virus Variant Detected!</p>
<p>A new variant of the W32. Mydoom (W32.Novarg) worm spread rapidly through the Internet.</p>
<p>Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.</p>
<p>The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.</p>
<p>Please download this digitally signed attachment.</p>
<p>This Update includes the functionality of previously released patches.</p>
<p>+++ One Microsoft Way, Redmond, Washington 98052</p>
<p>+++ Restricted Rights at 48 CFR 52.227-19 com</p>
<p>After being executed, Sober.d emails itself out as an attachment with a random filename. The virus installs itself to the system directory, %SYSDIR%, of the victim's machine using one of the possible filenames that are constructed from a string pool carried within the worm. The worm is difficult to find and hides from many anti-virus scanners.</p>
<p>Immediate information and cure for this virus can be found online at the Network Associates McAfee AVERT site located at . Users of McAfee Security solutions should update their systems from that page and use the 4.2.40 or later scanning engine with the 4334 DATs to stop the spread and potential damage of the worm.</p>
<p>Network Associates McAfee(R) Protection-in-Depth(TM) Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing more than 100 researchers in offices on five continents. McAfee AVERT protects its customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at .</p>
<p>NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners.</p>

Most Popular