Thursday, January 14, 2010


At my day job, part of my duties are as a sysadmin. That includes managing our mailserver and the flow of mail in and out. We run TrendMicro's ScanMail (and love it) and it checks every hour for new updates. When it scans mail that has a virus, it sends me a report of it and also flags when we have blocked greater than X virus messages over some short time period and then it calls that an Outbreak.

Well, today I noticed a huge number of viruses getting stopped and multiple times it alerted me to an Outbreak.

The virus that we are seeing an Outbreak of is the WORM_SOBER.S virus. OnTrendMicro's main page they are listing it as their top threat (I think top in terms of most hits, not as in most dangerous since it is listed as a "medium" severity virus. Itslisted aliases are "W32.Sober.O@mm", "W32/Sober.p@MM", "W32/Sober-N", "Sober.P", and "Email-Worm.Win32.Sober" - which pretty much just depends which virus scanner catches it as to what it is named.

I'm seeing this one on some of my home accounts too - it will add in a note that it has been scanned by whatever your domain is, which is designed to make you think it is safe to open the attachment. Then when you do, it grabs your addresses and propagates itself that way.

As is very common these days, only Windows machines are susceptible to this at this time. Also note that it doesn't appear to do any damage to your machine, aside from angering the people who get it from you, and taking up bandwidth.

Normally I don't mention these sorts of things, but in this case the volume I am seeing right now is much larger than most outbreak conditions I have seen here in the past.

No comments:

Post a Comment