W32.Sober.c1 Removal

[Wim Hamhuis]

When you clicked an e-mail with this virus, your PC is automatically
infected because the MIME/Exploit is programmed into this little piece of
shit.

What you have to do is :

=> Scan your computer with Antivirus, for resolving the name of the virus.
=> Delete the e-mail (Mostly in german)
=> Empty the recycle bin
=> go to www.symantec.com and download the Fixtool for W32.Sober.C1 (or the
found virus) into desktop
=> turn off your PC 30 sec and restart into safe mode (F5)
=> turn off system-restore
=> run the tool
=> turn on system restore
=> Restart your computer

some virusses need a different approach. You can find the removal tips on
this website.
then you have effectively removed this crap from your PC.
Good luck.

 

[FromTheRafters]

When you clicked an e-mail with this virus, your PC is automatically
infected because the MIME/Exploit is programmed into this little piece of
shit.

I didn't see anything in the descriptions of this worm that indicated
autoexecution exploits (w32.sober.c@mm), only socially engineered
clickhappiness. Couldn't read anything about w32.sober.c1@mm
at all (seems not to be in English).

Can you post a URL describing this aspect?
I'll try out some online translation services.

 

[WimHamhuis]

I didn't see anything in the descriptions of this worm that indicated
autoexecution exploits (w32.sober.c@mm), only socially engineered
clickhappiness. Couldn't read anything about w32.sober.c1@mm
at all (seems not to be in English).

Can you post a URL describing this aspect?
I'll try out some online translation services.

Ok, the antivirus is from : www.free-av.com
[Don't forget to update in time]
it detects w32.Sober.C1 but then the computer "hanged" i.e. it
[possibly the virus] blocked the keyboard from managing the
interpreter.
this is my first suspicion. Anyway i had to restart my computer.
Then i had to restart the computer which i'm not fond to do due damage
computervirusses could inflict. So i restarted it in "safe mode" (with
F5) to prevent any registry entries from executing.
then i turned "System restore" off
i could download the fixtool then i got rid of it.
then i turned "System restore" back on again..
But ...
When i clicked the e-mail to delete it, it reinfects the computer
automatically. Then i deleted it from recycle bin.
I started the process all over again
then the virus was definitely removed.

with friendly greetings,
Wim Hamhuis

 

[Beauregard T. Shagnasty]

Quoth the raven named WimHamhuis:

Your email client is OE?

But ... When i clicked the e-mail to delete it, it
reinfects the computer automatically.

Turn off the Preview Pane, which is the same as opening the email.

Further, set the options to read mail in Plain Text only. Set all the
available options to high security. In IE as well.

 

[FromTheRafters]

I didn't see anything in the descriptions of this worm that indicated
autoexecution exploits (w32.sober.c@mm), only socially engineered
clickhappiness. Couldn't read anything about w32.sober.c1@mm
at all (seems not to be in English).

Can you post a URL describing this aspect?
I'll try out some online translation services.

Ok, the antivirus is from : www.free-av.com
[Don't forget to update in time]

Thanks for reminding me, my last update for my NAV 5.0
was September 11 2003. ;o)

it detects w32.Sober.C1 but then the computer "hanged" i.e. it
[possibly the virus] blocked the keyboard from managing the
interpreter.
Hmmm.

this is my first suspicion. Anyway i had to restart my computer.
Then i had to restart the computer which i'm not fond to do due damage
computervirusses could inflict. So i restarted it in "safe mode" (with
F5) to prevent any registry entries from executing.
then i turned "System restore" off
i could download the fixtool then i got rid of it.
then i turned "System restore" back on again..
But ...
When i clicked the e-mail to delete it, it reinfects the computer
automatically.

Reinfected, or only re-scanned and re-alerted to the fact that
the e-mail attachment was malicious. Many AV programs
won't differentiate between active and inactive detections,
they just say "infected with" <some malware name> "virus"
even if the beast never executed on the machine (or is indeed
even a virus).

Then i deleted it from recycle bin.
I started the process all over again
then the virus was definitely removed.

It still may not have been an autoexecuting malware, but
thanks for the additional information about your experience
with it.

 

[WimHamhuis]

When you clicked an e-mail with this virus, your PC is automatically
infected because the MIME/Exploit is programmed into this little piece of
shit.

I didn't see anything in the descriptions of this worm that indicated
autoexecution exploits (w32.sober.c@mm), only socially engineered
clickhappiness. Couldn't read anything about w32.sober.c1@mm
at all (seems not to be in English).

Can you post a URL describing this aspect?
I'll try out some online translation services.

Ok, the antivirus is from : www.free-av.com
[Don't forget to update in time]

Thanks for reminding me, my last update for my NAV 5.0
was September 11 2003. ;o)

it detects w32.Sober.C1 but then the computer "hanged" i.e. it
[possibly the virus] blocked the keyboard from managing the
interpreter.
Hmmm.

this is my first suspicion. Anyway i had to restart my computer.
Then i had to restart the computer which i'm not fond to do due damage
computervirusses could inflict. So i restarted it in "safe mode" (with
F5) to prevent any registry entries from executing.
then i turned "System restore" off
i could download the fixtool then i got rid of it.
then i turned "System restore" back on again..
But ...
When i clicked the e-mail to delete it, it reinfects the computer
automatically.

Reinfected, or only re-scanned and re-alerted to the fact that
the e-mail attachment was malicious.

No, as i stated it. The virus was present in memory after i deleted
the complete e-mail, put it in the wastebasket and empty the
wastebasket. Then i had to use the fixtool again This could be
possible due to the fact the MIME/Exploit was programmed into the
virus itself because i have an updated sytem.

Many AV programs

won't differentiate between active and inactive detections,
they just say "infected with" <some malware name> "virus"
even if the beast never executed on the machine (or is indeed
even a virus).

After you find the name of the virus, download the fixtool with the
name of this virus. A computervirusscanner can only detect virusses,
but can't remove them (mostly)

It still may not have been an autoexecuting malware, but
thanks for the additional information about your experience
with it.

Well, what do you think ? When Microsoft replaced the code which was
responsible for the MIME/Exploit, why should some virusprogrammers
introduce this old code in the virus itself. It's a good thing some
virusscanners check emails before they are sent from a server.

With friendly greetings,
Wim Hamhuis

 

[FromTheRafters]

No, as i stated it.

Didn't mean to doubt your word, it is just that many people
misunderstand what their AV program is telling them. If they
clean an actual infection and then revisit the source of the
exposure to that infection, they assume that they have been
reinfected rather than just reexposed.

The virus was present in memory after i deleted
the complete e-mail, put it in the wastebasket and empty the
wastebasket. Then i had to use the fixtool again

The malware should be made inactive prior to cleaning so that
it won't follow the broom with a bucket of new dirt.

This could be
possible due to the fact the MIME/Exploit was programmed into the
virus itself because i have an updated sytem.

For the exploit to work, the vulnerability must be present. The
malware doesn't carry the vulnerability within, only the exploit.

Many AV programs

After you find the name of the virus, download the fixtool with the
name of this virus. A computervirusscanner can only detect virusses,
but can't remove them (mostly)

Some do very well at the removals too, but not all.

Well, what do you think ? When Microsoft replaced the code which was
responsible for the MIME/Exploit, why should some virusprogrammers
introduce this old code in the virus itself.

I am not familiar with any malware that "unpatches" vulnerabilities
previously patched, although I feel that this is not beyond the realm
of possibility. However, an initial run of the malware must not use
the vulnerability (how could it?) and the revisiting of the exposure
would indeed reinfect automatically as you suggest.

Have you any corroboration that this is indeed the case here?

It's a good thing some
virusscanners check emails before they are sent from a server.

The initial execution of the malware (not using the exploit) must
have the code with which to trojanize (unpatch) the mail program.
The autoexecution is done locally, so the mail server's AV has no say
in the matter. If the malware uses the Incorrect MIME type exploit
code, it risks being detected on that point alone at the server level.