W32/Sober-N is a mass-mailing worm which sends itself to addresses harvested from the infected computer.
The email sent by W32/Sober-N depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:
Subject line:
Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurdeverweigert
Ich bin's, was zum lachen :)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung
Ich habe Ihre E-Mail bekommen!
Message text:
Herzlichen Glueckwunsch,
Passwort und Benutzer-Informationen befindensich in der beigefuegten Anlage.
Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter <URL>
Folgende Fehler sind aufgetreten:
Fehler konnte nicht Explicit ermittelt werden
End Transmission
Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.
Wir bitten Sie, dieses zu beruecksichtigen.
Nun sieh dir das mal an!
--- FIFA-Pressekontakt:
beim Run auf die begehrten Tickets fnr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
Mail-Scanner: Es wurde kein Virus festgestellt,AntiVirus: Kein Virus gefunden,AntiVirus-
System: Kein Virus erkannt
Attached file:
Fifa_Info-Text.zip
okTicket-info.zip
our_secret.zip
The attached filenames may contain an optional prefix of "error-" or an optional suffix of "-Text" followed by the ZIP extension. Example: our_secret-Text.zip
Email sent to other addresses will have the following characteristics:
Subject line:
mailing error
Registration Confirmation
Your email was blocked
Your Password
Message text:
This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
(See attached file: <zip file name>)
Account and Password Information are attached!
Visit: <URL>
*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
Account and Password Information are attached!
Visit: <URL>
(See attached file: <zip file name>)
Account and Password Information are attached!
Visit: <URL>
*** Server-AntiVirus: No Virus (Clean)
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
ok ok ok,,,,, here is it
*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
Attached file:
mail_info.zip
account_info.zip
our_secret.zip
The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.
The ZIP file will contain an executable file named Winzipped-Text_Data.txt<spaces>.pif
The From address line will be faked.
|
A typical email sent by the Sober-N worm. |
W32/Sober-N attempts to disable anti-virus products. When it does so, the worm may display a message box containing the following text:
No Viruses, Trojans or Spyware found!
Status: OK
|
The Sober-N worm can display a message box. |
W32/Sober-N also attempts to delete files relating to Symantec Live Update.