DrWeb Anti virus proactively detected new Sober

Released on = November 24, 2005, 11:50 pm

Press Release Author = Doctor Web, Ltd.

Industry = Software

Press Release Summary = Thanks to the special implementation of the Dr.Web virus
base, in which just a single entry allows to detect tens, or hundreds, or even
thousands similar viruses, registered users of our program were completely protected
against this new worm BEFORE it was even written and BEFORE the epidemic outburst.

Press Release Body = Let us image you received a message. This time it does not ask
you to have a look at spicy pictures - you are already wise and never open such
attachments. The message reads.

From: Post@fbi.gov
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

Yes, it really looks like a message from FBI. Or CIA - variants are possible. The
senders' address "undoubtedly" points to these governmental organizations
BKA@bka.bund.de - German police
Department@cia.gov - CIA
Post@fbi.gov - FBI

What is your first reaction? Right - fear, and a keen desire to open the attachment
to have a look what serious people from a more than serious organizations are
interested in.
And that is the trap! The social engineering trick hits the nail on the head! As it
was planned by the author of the new Sober worm (classified by the Dr.Web Anti-virus
as Win32.HLLM.Generic.355). Being like a pea in the pod with most other variants,
this time it is distributed under the excellent cover of FBI or CIA.

Thanks to the special implementation of the Dr.Web virus base, in which just a
single entry allows to detect tens, or hundreds, or even thousands similar viruses,
registered users of our program were completely protected against this new worm
BEFORE it was even written and BEFORE the epidemic outburst. This is also proved by
the last investigation of a well-known av-tester from Magdeburg, Germany - Andreas
Marx. In his last test of the response speed of av-vendors to the outbreak of the
new Internet worm, Dr.Web was among a few antivirus programs which could PROACTIVELY
- i.e. without release of a new virus definition to the base - detect the new
threat.

At present, this variety of the malicious code prevails in messages stopped by the
Dr.Web anti-virus filters at mail servers of our users. Its share in the infected
traffic exceeds 33 per cent. The top virus ten looks as follows

Win32.HLLM.Generic.355 33.63%
Win32.HLLM.Beagle.9219 11.62%
Win32.HLLM.MyDoom.based 10.32%
Win32.HLLM.Netsky.35328 9.35%
Win32.HLLM.MyDoom 7.59%
Win32.HLLM.Beagle 7.39%
Win32.HLLM.Netsky.based 5.21%
Win32.HLLM.Netsky 2.65%
Win32.HLLM.MyDoom.33808 1.64%
Win32.HLLM.MyDoom.44 1.53%



Web Site = http://www.drweb.com

Contact Details = Lucia Gourtovaya
lg@drweb.com

  • Printer Friendly Format
  • Back to previous page...
  • Back to home page...
  • Submit your press releases...
  •