F-secure list of sober virus urls



When the news was first out that an antivirus firm (f-secure) had cracked the psuedo-random algorithm that the sober worm uses to determine where to download “updates” from, they said that they had previously notified German authorities where the free hosting sites were located so that they could deal with the sites. I did find that they have announced a list of the addresses for the January 5th update (and the January 6th as well.)


Great to see this information released. They’ve left out the filename, but I’ll reproduce the list here…

http://people.freenet.de/gixcihnm/
http://people.freenet.de/tobtrfjabzw/
http://people.freenet.de/utzmfucaau/
http://people.freenet.de/phyibrpkcpl/
http://people.freenet.de/lhxrdryo/
http://people.freenet.de/yediykdq/
http://people.freenet.de/bjjhdkybpyaj/
http://scifi.pages.at/agzytvfbybn/
http://home.pages.at/bdalczxpctcb/
http://free.pages.at/ftvuefbumebug/
http://home.arcor.de/ijdsqkkxuwp/
http://home.arcor.de/ldhdytdu/
http://home.arcor.de/wdqodvdhwwese/
http://home.arcor.de/frweemrecuvw/

http://home.arcor.de/nulmjznomnt/

The above addresses are due to be used for the January 5th download, the following list will be those used on January 6th…

http://people.freenet.de/mookflolfctm/
http://people.freenet.de/aohobygi/
http://people.freenet.de/wlpgskmv/
http://people.freenet.de/svclxatmlhavj/
http://people.freenet.de/jpjpoptwql/
http://people.freenet.de/iohgdhkzfhdzo/
http://people.freenet.de/eetbuviaebe/
http://scifi.pages.at/vvvjkhmbgnbbw/
http://home.pages.at/twfofrfzlugq/
http://free.pages.at/sfhfksjzsfu/
http://home.arcor.de/qlqqlbojvii/
http://home.arcor.de/fulmxct/
http://home.arcor.de/fowclxccdxn/
http://home.arcor.de/lnzzlnbk/

http://home.arcor.de/rprpgbnrppb/

After that the list is expected to change every 14 days. The virus syncs the systems time so that it does know the correct date and time. (NTP? via the atomic clocks?)

So, if your a system administrator and can block urls on your network – this might be a good batch to add to your list.

Related Posts

Blog Traffic Exchange Related Posts
  • New Sober variants.. Ok - there are some new variants on the Sober worm circulating. I received one on an address that's unfiltered (no virus/spam filtering) and must say, I can see people being duped into looking at the attachment. Sans has a post on it.. Sarc is calling it W32sober.x@mm and rates......
  • Trojan horse proxy.ahiy and AVG A lot of people seem to be reporting today that AVG is finding files to be infected with trojan horse proxy.ahiy or trojan horse proxy ahiy. From what I've seen, although that may be a valid virus designation from AVG, they are also reporting many legitimate files as this trojan......
  • How to Remove Anti-Virus Elite | Anti-Virus Elite Removal Guide Anti-Virus Elite is a rogue antivirus application. These rogue antivirus applications pose as a legitimate security application, but in reality is a scam to try to trick you out of money. They will find and claim that there are multiple security problems with your computer. They will claim that you......
Blog Traffic Exchange Related Websites
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site