             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

              Sober.X (Y) To Download New Code On or After Jan. 6

December 15, 2005 17:00 GMT                                       Number Q-076
______________________________________________________________________________
PROBLEM:       The Sober.X (Y) worm is set to download new code from several 
               sites starting on Jan. 6, 2006 and continuing indefinitely. The 
               function of this new code is unknown at this time. 
PLATFORM:      All Windows platforms. 
DAMAGE:        This is a mass mailing worm and clogs mail servers with 
               malicious messages. The operation of the new, downloaded code 
               is unknown. 
SOLUTION:      Use updated antivirus software. Block access to the download 
               sites and watch for connection attempts to those sites. 
               Information on detection and removal is available on most 
               antivirus sites. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. Sites with up-to-date antivirus programs 
ASSESSMENT:    will already have eliminated this worm. However, should a copy 
               of the worm get by your antivirus scanning, the threat from the 
               unknown downloads is unknown at this time and could be 
               significant. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/q076.shtml 
 AV SITES: Symantec: http://www.symantec.com/avcenter/venc/data
                          /w32.sober.x@mm.html 
           F-Secure: http://www.f-secure.com/v-descs/sober_y.shtml 
                     http://www.f-secure.com/weblog/archives
                          /archive-122005.html#00000729 
______________________________________________________________________________

The Sober.X or Y variants have a download capability to download new code 
starting on January 6, 2005 and continuing, at regular intervals,
indefinitely. In order to hide the downloads and prevent the download URLs 
from being blocked, the downloads are from randomly generated URLs at the 
following free domain hosting sites. 

    people.freenet.de
    scifi.pages.at
    free.pages.at
    home.arcor.de

For example, starting January 6 and continuing for 14 days, the URLs are,

    home.arcor.de/dixqshv/
    people.freenet.de/wjpropqmlpohj/
    people.freenet.de/zmnjgmomgbdz/
    people.freenet.de/mclvompycem/
    home.arcor.de/jmqnqgijmng/
    people.freenet.de/urfiqileuq/
    home.arcor.de/nhirmvtg/
    free.pages.at/emcndvwoemn/
    people.freenet.de/fseqepagqfphv/
    home.arcor.de/ocllceclbhs/
    scifi.pages.at/zzzvmkituktgr/
    people.freenet.de/qisezhin/
    home.arcor.de/srvziadzvzr/
    people.freenet.de/smtmeihf/

At the end of fourteen days they will change to a new set of random URLs. 
While most of the connection attempts will be to non-existant URLs, the virus 
writer knows in advance what the URLs will be on any particular day. Thus, 
when he wants to upload new code, he simply registers the appropriate URL and 
uploads the new code.

It is unknown what this new code will do, and can be whatever the virus writer
chooses. As such, sites should block access to these four domains starting on 
or before January 6 and continuing for several weeks. Sites should also watch 
for any connection attempts to these domains. Any connections to these 
domains, failed or otherwise, could point to an infected system. The domains 
are free hosting services in Germany and Austria and blocking them for a 
period of time should not impact your operations.
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Verisign’s iDefense for the heads-up and list of download sites.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

Q-066: Cisco IOS HTTP Server Command Injection Vulnerability
Q-067: RealNetworks Security Update
Q-068: 'xpdf' Vulnerability
Q-069: Sun Java System Communications Services Vulnerability
Q-070: Sun Java System Application Server Reverse SSL Proxy Plugin 
       Vulnerability
Q-071: HP-UX Running IPSec Remote Unauthorized Access
Q-072: Sun Update Connection Web Proxy Password Disclosure Vulnerability
Q-073: IBM Tivoli Directory Server Vulnerability
Q-074: Cumulative Security Update for Internet Explorer
Q-075: Vulnerability in Windows Kernel