F-Secure has cracked the algorithm the latest Sober.Y virus variant uses to update itself. The virus, also known as Sober.X@mm, is programmed to search for updates on specific dates and at what appears to be pseudo-random website locations. The locations are always free Web hosting websites, predetermined by the virus author. These locations are all currently inactive and are setup by the author just before the target date. F-Secure has provided a list of those locations so that security administrators can block access to them before the worm strikes again.
The virus will next update itself on January 5, 2006 using a list of fifteen different web locations. It will then try again on January 6, using a fresh new set of fifteen websites to look for updates. LURHQ provides some additional analysis of these dates.
It has been widely reported that earlier Sober variants have been spreading Nazi propaganda. iDefense provides additional details indicating the significance of this date and the political agenda the virus author is trying to push.
The Sober virus accounted for 42.9% of all viruses reported to anti-virus firm Sophos in November. Similarly, F-Secure reports that the Sober virus still accounts for more than 40% of all viruses they see today, dwarfing the next most prolific virus - variants of the Mytob worm.
Sober was first discovered in October 2003. Now with more than twenty variants, it continues to innovate and infect a very large number of users. The virus uses NTP for its clock to ensure its updates are done at the same time worldwide, regardless of the user's individual clock settings. Several anti-virus companies consider Sober to be the most prolific virus family (in the form of an email worm) of 2005.
Posted by: Kelly Martin