__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN MS Advisory Win32/Sober.Z@mm on January 6, 2006 [Microsoft Security Advisory (912920)] January 4, 2006 18:00 GMT Number Q-086 ______________________________________________________________________________ PROBLEM: This is a notification of increased possible activity on January 6, 2006, that is related to the Win32/Sober.Z@mm worm and the availability of mitigations against this potential threat. PLATFORM: Related Software Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) Microsoft Windows XP Service Pack 2 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) DAMAGE: Sober is a worm that affects Windows-based computers and requires users to execute a malicious file attachment in e-mail or by clicking a link that has an infected attachment. Once the file attachment is executed, this worm and its variants will attempt to send themselves to all the contacts in a computer’s address book. Users may already be protected from Sober and its variants if up-to-date versions of antivirus software are installed. SOLUTION: Use the Microsoft Windows Malicious Software Removal Tool, Safety.live.com, or Windows OneCare to search for and remove the Sober worm and its variants from infected systems. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Sober is a worm that affects Windows-based ASSESSMENT: computers and requires users to execute a malicious file attachment in e-mail or by clicking a link that has an infected attachment. Once the file attachment is executed, this worm and its variants will attempt to send themselves to all the contacts in a computer’s address book. Users may already be protected from Sober and its variants if up-to-date versions of antivirus software are installed. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-086.shtml ORIGINAL BULLETIN: Microsoft Security Advisory (912920) http://www.microsoft.com/technet/security/advisory/912920.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= ______________________________________________________________________________ [***** Start Microsoft Security Advisory (912920) *****] Microsoft Security Advisory (912920) Systems that are infected with Win32/Sober.Z@mm may download and run malicious files from certain Web domains beginning on January 6, 2006 Published: January 3, 2006 Microsoft is aware of the Sober mass mailer worm variant named Win32/Sober.Z@mm. The worm tries to entice users through social engineering efforts into opening an attached file or executable in e-mail. If the recipient opens the file or executable, the worm sends itself to all the contacts that are contained in the system’s address book. Customers who are using the most recent and updated antivirus software are at a reduced risk from infection by the Win32/Sober.Z@mm worm. On systems that are infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006. Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains. As with all currently known variants of the Sober worm, the worm does not appear to target a security vulnerability, but rather relies on the user opening an infected attachment. Microsoft added detection for the latest Sober variants in its December 2005 update to the Malicious Software Removal Tool and in the Windows Live Safety Center. Customers who believe that they are infected with Sober or are not sure whether they are infected should visit Safety.live.com and choose "Protection Scan" or run the latest version of the Malicious Software Removal Tool from either Microsoft Update or Windows Update to ensure that their systems are free of infection. Additionally, Windows OneCare from Microsoft provides detection for and protection against Sober and its known variants. Microsoft will release an updated version of the Malicious Software Removal Tool on January 10, 2006, that will further assist in the detection and removal of known malware threats including Sober and its known variants. See Microsoft Knowledge Base Article 891716 for additional details on how to deploy the Malicious Software Removal Tool with the latest definitions to help protect against malware. For more information about Sober, to help determine whether you have been infected by the worm, and for instructions on how to repair your system if you have been infected, see the Microsoft Virus Encyclopedia. For Microsoft Virus Encyclopedia references, see the “Overview” section. We continue to encourage customers to use caution with unknown file attachments and to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting the Protect Your PC Web site. Mitigating Factors: • Customers must open a malicious e-mail attachment in order to be infected by the worm. General Information Overview Purpose of Advisory: Notification of increased possible activity on January 6, 2006, that is related to the Win32/Sober.Z@mm worm and the availability of mitigations against this potential threat. Advisory Status: Advisory published Recommendation: Review the suggested actions, and scan for and clean possible infected systems. References Identification Microsoft Virus Encyclopedia http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Sober.Z@mm Malicious Software Removal Tool Microsoft Security Web site Windows Live SafetyCenter http://safety.live.com Windows OneCare http://beta.windowsonecare.com Symantec W32.Sober.X@mm McAfee W32/sober@mm!m681 Trend Micro WORM_SOBER.AG Description and solution CA Win32.Sober.W This advisory discusses the following software. Related Software Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) Microsoft Windows XP Service Pack 2 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Suggested Actions • Check for and remove the Sober infection. Use the Microsoft Windows Malicious Software Removal Tool, Safety.live.com, or Windows OneCare to search for and remove the Sober worm and its variants from infected systems. • Monitor outbound network connections to targeted Web sites. • Because the Win32/Sober.Z@mm worm may download and run malicious files from certain Web domains beginning on January 6, 2006, attempted connections to the following Web sites should be monitored for signs of an infected host on local networks. Targeted Web sites people.freenet.de scifi.pages.at home.pages.at free.pages.at home.arcor.de • Protect your PC. We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting the Protect Your PC Web site. • For more information about staying safe on the Internet, visit the Microsoft Security Home Page. • Exercise caution opening attachments: As a best practice, users should always exercise extreme caution when they open unsolicited attachments from both known and unknown sources. • Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Resources: • You can provide feedback by completing the form by visiting the following Web site. • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • January 03, 2006: Advisory published [***** End Microsoft Security Advisory (912920) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-075: Vulnerability in Windows Kernel Q-076: Sober.X (Y) To Download New Code On or After Jan. 6 Q-077: Citrix Vulnerability in Program Neighborhood Client Q-078: cURL Security Update Q-079: HP-UX Running Software Distributor Remote Unauthorized Access Q-081: netpbm Security Update Q-082: perl Security Update Q-083: perl Security Update for Red Hat (v.3) Q-084: Cisco Security Notice: Response to DoS in Cisco Clean Access Q-085: Microsoft Windows Metafile File (WMF) Vulnerability