The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

F-Secure : News from the Lab – Sober.Y reminder

Wednesday, January 4, 2006

Sober.Y reminder Posted by Jarkko @ 14:46 GMT

Just to remind you, Sober.Y update phase starts on 6th day. This means that
all machines infected by Sober.Y try to download and execute code from
certain addresses. If you want block these addresses at your firewall, here
is the list again. The actual filename is left intentionally out from the
addresses.

The most likely set of download URLs is:

people.freenet.de/zmnjgmomgbdz/
people.freenet.de/smtmeihf/
people.freenet.de/qisezhin/
people.freenet.de/fseqepagqfphv/
people.freenet.de/urfiqileuq/
people.freenet.de/wjpropqmlpohj/
people.freenet.de/mclvompycem/
scifi.pages.at/zzzvmkituktgr/
home.pages.at/npgwtjgxwthx/
free.pages.at/emcndvwoemn/
home.arcor.de/ocllceclbhs/
home.arcor.de/dixqshv/
home.arcor.de/srvziadzvzr/
home.arcor.de/nhirmvtg/
home.arcor.de/jmqnqgijmng/

However, in some circumstances, Sober might try to access some of the
following URLs:

people.freenet.de/mookflolfctm/
people.freenet.de/aohobygi/
people.freenet.de/wlpgskmv/
people.freenet.de/svclxatmlhavj/
people.freenet.de/jpjpoptwql/
people.freenet.de/iohgdhkzfhdzo/
people.freenet.de/eetbuviaebe/
scifi.pages.at/vvvjkhmbgnbbw/
home.pages.at/twfofrfzlugq/
free.pages.at/sfhfksjzsfu/
home.arcor.de/qlqqlbojvii/
home.arcor.de/fulmxct/
home.arcor.de/fowclxccdxn/
home.arcor.de/lnzzlnbk/
home.arcor.de/rprpgbnrppb/
people.freenet.de/iufilfwulmfi/
people.freenet.de/xbqyosoe/
people.freenet.de/nkxlvcob/
people.freenet.de/svclxatmlhavj/
people.freenet.de/bnymomspyo/
people.freenet.de/jbevgezfmegwy/
people.freenet.de/gdvsotuqwsg/
scifi.pages.at/eveocczmthmmq/
home.pages.at/doarauzeraqf/
free.pages.at/hsdszhmoshh/
home.arcor.de/dyddznydqir/
home.arcor.de/iyxegtd/
home.arcor.de/oakmanympnw/
home.arcor.de/riggiymd/
home.arcor.de/jhjhgquqssq/

These additional addresses might be produced by the URL algorithm in
certain rare conditions. We are not sure if this is the intention of the
worm author, but it might be a good idea to block all of the above addresses.

F-Secure : News from the Lab – January of 2006.

Advertisements

January 4, 2006 - Posted by | Antivirus News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: