NEWS FROM THE LAB - Monday, January 9, 2006

Situation calm. For a change. Posted by Mikko @ 05:13 GMT

The Sober download sites are still empty. Great.

When the Sober.y download deadline passed on January 6th, all infected machines started download attempts from the five different sites. At the same time, the virus stopped emailing itself around.

As a result, the virus that had held #1 position in virus stats since November 2005 just disappeared from the stats.


There still are at least tens of thousands of infected machines out there. They just aren't spreading the virus further: they're just trying to download and run a mystery file - which isn't there to be downloaded.

How to locate and shut down all these infections? ISPs are in key position.

ISPs: we urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Contact these users and let them know they most likely are infected with Sober and they should clean up their act. If you'd like to do this but don't feel like making tons of phone calls, you can automate processes like these with our Network Control appliance.