curtis Posted December 9, 2005 Posted December 9, 2005 There have been reports that the new year will start with a bang possibly on the 5th of January or 6th of January, when a new SOBER variant is suspected to be released by the same group that caused the recent WORM_SOBER.AG outbreak in November. The reports may have been based on the analysis that WORM_SOBER.AG will download an executable file Sober.exe) possibly on either January 5, 2006 or January 6, 2006 from certain URLs that are hard-coded and encrypted within the SOBER.AG worm. These "predefined" URLs are not the exact sites that may used - an algorithm based on the date is used to generate the exact URLs that will be used on the target date itself. Quote
TCH-Bruce Posted December 9, 2005 Posted December 9, 2005 My virus laden emails had slowed up until today when I got another large batch of them. Can't wait for the next go round. Everybody make sure your virus definitions are updated! Quote
TCH-Rob Posted December 9, 2005 Posted December 9, 2005 F-Secure cracked the code. The list is as follows http://people.freenet.de/gixcihnm/ http://people.freenet.de/tobtrfjabzw/ http://people.freenet.de/utzmfucaau/ http://people.freenet.de/phyibrpkcpl/ http://people.freenet.de/lhxrdryo/ http://people.freenet.de/yediykdq/ http://people.freenet.de/bjjhdkybpyaj/ http://scifi.pages.at/agzytvfbybn/ http://home.pages.at/bdalczxpctcb/ http://free.pages.at/ftvuefbumebug/ http://home.arcor.de/ijdsqkkxuwp/ http://home.arcor.de/ldhdytdu/ http://home.arcor.de/wdqodvdhwwese/ http://home.arcor.de/frweemrecuvw/ http://home.arcor.de/nulmjznomnt/ Right now, none of these URLs exist. If they are to be used, the virus writer will register them just before the activation. However, the list will change every 14 days, and the first change will happen already on 6th of January. Then the list becomes: http://people.freenet.de/mookflolfctm/ http://people.freenet.de/aohobygi/ http://people.freenet.de/wlpgskmv/ http://people.freenet.de/svclxatmlhavj/ http://people.freenet.de/jpjpoptwql/ http://people.freenet.de/iohgdhkzfhdzo/ http://people.freenet.de/eetbuviaebe/ http://scifi.pages.at/vvvjkhmbgnbbw/ http://home.pages.at/twfofrfzlugq/ http://free.pages.at/sfhfksjzsfu/ http://home.arcor.de/qlqqlbojvii/ http://home.arcor.de/fulmxct/ http://home.arcor.de/fowclxccdxn/ http://home.arcor.de/lnzzlnbk/ http://home.arcor.de/rprpgbnrppb/ Quote
Madmanmcp Posted December 10, 2005 Posted December 10, 2005 F-Secure cracked the code. The list is as followsThen the solution is simple and the threat can be stopped before it gets here...lock up those domain names and nothing can be downloaded. However, the list will change every 14 days, And with the above solution this is stopped also since the only change thats made is to the subfolder name used...the subdomains and top level domains remain the same. Yes I realize these are not US controled domains...but this is a threat to the whole world and the country that controls those domains should be able to be convinced to do something about it. Quote
Madmanmcp Posted December 10, 2005 Posted December 10, 2005 Ok, after looking at the domains in question, locking the domain may not be as simple as I assumed. These sites are free web hosting companies and locking them would affect their business. But just allowing hackers to use their service for this type of activity would also affect their bottom line with all the legal problems that would follow. Hopefully they will come up with some other solution before the actual date arrives. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.