Language 
  
   COMPANY  |  CONTACT  |  CAREERS SEARCH
AVIRA - download and buy antivirus software for Windows and Linux
Anti Virus Solutions
HomePress CenterAVIRA NewsPress ReleasesNew Report on the So...
    
 
 
Press Center
Partners
Antivirus Products
Downloads
Support
Register
Threats Info
Mailing Lists
Current VDF update
 VDF History
Get Desktop Update
 

Press Releases News

New Report on the Sober Triggered Action in January
Posted on 12 Dec 2005
 
"Not on the 5th, but on the 6th", AVIRA Antivirus Experts Claim

AVIRA Antivirus Labs specialists warn against the recently reported Sober triggered action at the beginning of January.

Technical analyses have led to new findings: AVIRA virus researchers have disassembled the worm’s code, simulated Sober’s anticipated actions in January and tried to make a positive identification through behavior analysis. Finally it turned out that Sober does have a specific payload to carry out in a few weeks time, but not on January 5, as specialists had claimed last week, but on the 6th.

According to AVIRA antivirus experts, the worm synchronizes the time via the NTP protocol. This translates to all the infected computers being updated at the same time, regardless of the local time on a specific system. Therefore, it will initiate the update routine on January 6, UTC 00:00. In other words, all systems previously infected by Sober will start an update process simultaneously, be it midnight in London, 1:00 am in Paris and Berlin, or 3:00 am in Moscow.

For its update routine, Sober connects to a series of URLs, from where it downloads certain files. Virus researchers have found that this list changes every 14 days and that it includes 15 URLs. Should the update cycle continue, the worm would have to check no less than 25 different lists by the end of the year, corresponding to 375 URLs hosted on the following domains:

people.freenet.de
scifi.pages.at
home.pages.at
free.pages.at
home.arcor.de

At the moment, there are no exact URLs, but the virus author may create them just a few minutes before the content is uploaded and prior to the update being triggered on the Sober-infected systems. However, AVIRA antivirus researchers are constantly monitoring the above-mentioned domains and any information regarding Sober-intended URLs will be disclosed promptly.

Considering the magnitude of the Sober.Y blitz on the Internet since the beginning of November, the consequences of this worm’s planned actions would be difficult to assess in realistic terms. In order to prevent another blast of infections or any traffic clogging, AVIRA Antivirus Labs specialists urge computer users to keep updated AV shields up and running at all times. Furthermore, our virus experts recommend all those who do not use a security solution and might be in danger to download and run AVIRA Removal Tool for Windows, a free application designed to detect and remove this calamitous threat.

About AVIRA GmbH
About H+BEDV Datentechnik GmbH

  Read other news from "Press Releases"
AVIRA receives a new VB 100% for full malware detection
03 Feb 2006
January Virus Top 10
01 Feb 2006
December Virus Top 10
06 Jan 2006
November Virus Top 10
02 Dec 2005
The Race Against Sober - Speed is the Name of the Game
24 Nov 2005
Sober Worms Expand Family Business
22 Nov 2005
Date-triggered Outbreak Spammed out Two New Sober Versions
15 Nov 2005
October Virus Top 10
03 Nov 2005
AVIRA collects yet another VB100% award
18 Oct 2005
Virus Top 10 - September 2005
04 Oct 2005
First Prev
News 1 to 10 from 27
 Next Last

Back to News Page
Copyright © 2009 AVIRA Feedback | Copyright | FAQ | Privacy | Site Map | Site Terms