Preemptive Protection against WORM_SOBER.I (a new variant of the Sober worm)
| Attack ID: | CPAI-2004-58 |
 |
|
| Publish Date: | |
|
|
| Last Update: | |
|
|
| Category: | Worms and Viruses |
|
|
| Vulnerable Systems: | Windows 2000 Windows 95 Windows 98 Windows Me Windows NT Windows Server 2003 Windows XP |
|
|
| Source: | Zone Labs Virus Information Center |
|
|
| Description: | WORM_SOBER.I is a mass-mailing worm that uses its own mail engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. |
|
|
| Severity: | |
| Details: | The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension. |
|
|
| Attack Detection: | Users of VPN-1 FP3 and above who have applied the solution outlined below, will receive the following logging information: reason: Forbidden MIME attachment stripped Users of InterSpect 2.0 will receive the following logging information:
|
|
|
| Solution: | Users of VPN-1 FP-3 and above who have applied the solution outlined in CPSA-2004-05 are already protected against the propagation of this worm. For detailed configuration instructions, refer to CPSA-2004-05. InterSpect 2.0 blocks the propagation of this worm by blocking direct access of hosts to mail servers that do not belong to the organization and as such, may potentially be considered a security hazard. Users of InterSpect 2 who have applied the solution outlined in CPAI-2004-50 are already protected against the propagation of this worm. |
|
|
| Industry Reference: | |
|
|
| Additional Information: | |