NTA Monitor

Latest News

Finance industry faces serious IT security issues

23rd June 2008 The finance industry needs to keep its eye on the small change as well as the bigger picture of its security vulnerabilities Read More

Retail sector faces serious IT security issues

23rd June 2008 The retail sector needs to set out its stall and ring the changes in its security vulnerabilities if it is to avoid the potential for hackers to gain unauthorised system access and disrupt service availability Read More

IT managers have more security headaches to deal with

11th May 2008 NTA Monitor's 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007 Read More

Solutions not excuses for patch management warns NTA Monitor

23rd April 2008 Patch management is a vital security requirement for any organsation Read More
Date: 30th December 2004
Risk: Medium

Security firms are warning about a PC virus that comes back from the dead. The newest variant in the Sober family of Windows viruses resurrects itself if some of the parts it has previously left on infected machines are not deleted. The virus also tries to trick people into opening infected attachments by claiming that the message has been passed as clean by anti-virus scanners.

Computer security firms warned people to be suspicious of unsolicited emails bearing attachments. The first Sober virus appeared in late October 2003 and was most prevalent in Germany.

The latest Sober-I variant debuted on 19 November 2004, is more international in flavour and uses several new tricks to try to preserve itself and fool people into opening it, infecting their Windows machine. The virus places two small files into the memory of any machine that it infects. If either one of these files is manually deleted, its partner will resurrect the missing file.

Similar tactics have been seen in "spyware" programs that capture information about browsing habits, but it is believed that this is the first time such a tactic has been used by a computer virus.

In an attempt to reassure people that it is benign, the virus adds text to the messages it travels in that claims the email has been scanned and found clean by anti-virus programs. The message can use any one of 150 separate subject lines and the message forming its body can be generated from short strings of text that it carries with it.

The infectious attachments bearing the virus code try to hide by labelling themselves as either a screensaver (scr), batch (bat), information (pif) or command (com) file.

Anyone clicking on the attachment could leave themselves open to more infections as the virus disables many of the security features used to keep machines virus free. Once installed, the mass mailer scours a Windows machine for addresses and then uses its own built-in email software to send itself to potential new victims.

Mail filtering and scanning firm Blackspider Technologies said it had seen more than 1 million copies of the virus in the first few hours of its appearance. The Sober-I virus can infect machines running Windows 2000, 95, 98, Me, NT, XP and Windows Server 2003.

References

http://www.f-secure.com http://archives.neohapsis.com