<<<
NEWS FROM THE LAB - Tuesday, May 3, 2005
>>>
 

 
Sober Agent Posted by Mikko @ 17:25 GMT

The Sober variant we alerted on last night is still spreading...although not enough to get a Radar Level 1 rating.

One example of a mail Sober.P might send is a German message promising free tickets to the soccer world championships. The ticket sales for the next World cup were opened on Monday - the same day the virus was released. Here's what these viral emails looked like:

  From: Ticket@fifa.de
  Subject : WM-Ticket-Auslosung
  
  Herzlichen Glueckwunsch,
  
  beim Run auf die begehrten Tickets f�r die 64 Spiele der
  Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
  
  Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
  
  Ihr "ok2006" Team
  St. Rainer Gellhaus
  
  --- FIFA-Pressekontakt:
  --- Pressesprecher Jens Grittner und Gerd Graus
  --- FIFA Fussball-Weltmeisterschaft 2006
  --- Organisationskomitee Deutschland
  --- Tel. 069 / 2006 - 2600
  --- Jens.Grittner@ok2006.de
  --- Gerd.Graus@ok2006.de
  
  Attachment: Fifa_Info-Text.zip


fifa.com screenshot
In fact, the F�d�ration Internationale de Football Association has put out a public warning on this. Because of the Sober emails overloading the systems, FIFA organizers were unable to receive or send normal e-mails according to vice president Wolfgang Niersbach.

Another recent development that has been getting some attention lately has been the Agent.aa trojan (aka Trojan-PSW.Win32.Agent.aa or Bancos.NL). As many bank trojans, this one starts logging user keypresses and making screenshots when infected user enters specific websites.

What sets this one apart though is the sheer size of the list of banks: 2764 different sites from over 100 different countries are targeted! The full list is available here.

Do note that it doesn't automatically mean that the customers of listed banks are affected. Many online banks use proper one-time password authentication schemes, and are thus not in danger of someone stealing access to accounts. The attacker might still see confidential information though.