Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sober worm triggering network virus detection

Status
Not open for further replies.
mikestl

mikestl

Technical User
Oct 17, 2003
32
US
I have recently upgraded to Trend Micro's Client server security for SMB 3.0. Over the last couple of days its network virus scanner has been detecting worm_sober.ag being sent from our mail server internal ip to various external ips on the internet (some ips for homail.com, etc). However, realtime and manual scanning is not detecting any virus resident on our mail server. I called Trend Micro and they offer any helpful advice other than the basic how to manually scan your computer line. I know we are getting quite a volume of sober worm e-mails. My first guess would be that our server is bouncing back NDRs for some of these e-mails coming in and these NDRs are triggering Trend's network virus scan. Anyone have any experience with this or any ideas on the subject? Thanks!

Mike
 
Sort by date Sort by votes
Hi Mike,

I have noted two workstations (Laptops) on our network which are continually showing up in firewall logs - being blocked thankfully. They are both attempting to connect outbound to some spefic IP's on port 37.

A quick google of port 37, and a quick review of the IPs they are trying to connect to, and I am 99% certain I have some sort of sober variant.

According to googled sources, the worm attempts to make an outbound connection on port 37 to a virus server to download full trojan.

Native, the Laptops both run Norton (one 2004 the other 2005). Both scanners report corrupted install. I have used specific symantec and McAffee s_t_i_n_g_e_r.exe etc to try and detect the worm to no avail.

I am considering a full format as it only appears to be two infected machines.

Do you think it would be possible that your 'network virus scanner' is using heuristics to detect the worm, though the standalone scanner is relying on its signature database. Idea being that new variant is not in the db??

Curious if anyone has any ideas to what should be done, and what they would do in my boots.

Thanks - Chris.
 
Upvote 0 Downvote
I to am having Sober blocked by network virus wall - but what I was worried about was that sone or two sober viruses HAVE been detected inside the network.

I am confident that the NVW is correctly spotting sober and blocking it - In the way I have things set I would expect Sober to not get into the network as it's packets are stopped.

I am hazarding a guess that some of my users have brought it in from home by using personal email on their laptops when out of the protected network. I am also wondering if NVW only recognises some variants.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
292
Oorde
Oorde
DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
339
DrB0b
DrB0b
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
122
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
182
goombawaho
goombawaho
kjv1611
  • Locked
  • Question
POS Malware Infections Detection and Protection
Replies
0
Views
102
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top