McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update 1st May 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcmag.com/article2/0,1895,2124414,00.asp

-- Update 1st May 2007 --

A recent variant was found to be spammed recently with one of the following subject headers:

• Error in your eMail
• Your Updated Password!
• Ihr Account wurde eingerichtet!
• Ihr Passwort wurde geaendert!
• Fehlerhafte Mailzustellung

This variant can be proactively detected as W32/Sober.gen@MM earliest with 4889 DATs and 5.1.00 engine when heuristics are enabled in mail scanning products. General detection for all other products from 4890 DATs and 5.1.00 engine, and newer.

-- Update 7th March 2005 --
W32/Sober.m@MM is proactively detected as W32/Sober.gen@MM with the 4432 DAT files, or renew, and 4.3.20 engine, or newer (with scanning of compressed files enabled).
--

-- Update 13th June 2004 --
W32/Sober.h is proactively detected as W32/Sober.gen@MM since the 4349 DATs and 4.3.20 engine (with scanning of compressed files enabled).
--

This is a generic detection for W32/Sober variants. To obtain maximum detection, please bear the following considerations in mind:

• use the latest scanning engine. The 4.4.40 scanning engine contains greater detection capabilities than the 4.3.20.
• ensure the scanning of compressed files is enabled. The W32/Sober variants tend to be packed. Generic detections such as this require their decompression to be enabled in the AV scanning engine.

Proactive Detection
W32/Sober.g@MM   is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).

Symptoms

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update 1st May 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcmag.com/article2/0,1895,2124414,00.asp

-- Update 1st May 2007 --

A recent variant was found to be spammed recently with one of the following subject headers:

• Error in your eMail
• Your Updated Password!
• Ihr Account wurde eingerichtet!
• Ihr Passwort wurde geaendert!
• Fehlerhafte Mailzustellung

This variant can be proactively detected as W32/Sober.gen@MM earliest with 4889 DATs and 5.1.00 engine when heuristics are enabled in mail scanning products. General detection for all other products from 4890 DATs and 5.1.00 engine, and newer.

-- Update 7th March 2005 --
W32/Sober.m@MM is proactively detected as W32/Sober.gen@MM with the 4432 DAT files, or renew, and 4.3.20 engine, or newer (with scanning of compressed files enabled).
--

-- Update 13th June 2004 --
W32/Sober.h is proactively detected as W32/Sober.gen@MM since the 4349 DATs and 4.3.20 engine (with scanning of compressed files enabled).
--

This is a generic detection for W32/Sober variants. To obtain maximum detection, please bear the following considerations in mind:

• use the latest scanning engine. The 4.4.40 scanning engine contains greater detection capabilities than the 4.3.20.
• ensure the scanning of compressed files is enabled. The W32/Sober variants tend to be packed. Generic detections such as this require their decompression to be enabled in the AV scanning engine.

Proactive Detection
W32/Sober.g@MM   is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A