W32/Sober-G is a mass mailing worm that sends itself to email addresses harvested from the infected computer. When started it copies itself to the Windows system folder and sets the following registry entry so as to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
logcrypt = <path_to_exe>\<exename>.exe %1
When first run the worm displays a message box containing the following text:
Special -UnZip Data- Module is missing
Open with Notepad?
The worm creates a TXT file called in the Temp folder and displays its contents using NOTEPAD.EXE. The text file begins with the text:
File not found
Special -UnZip Data- Module is missing
Open with Notepad?
Converted_
notepad
The worm copies itself to the Windows system folder as an EXE file with a name
that is constructed from the following:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
W32/Sober-G also creates the following files used to store harvested information in the Windows system folder:
bcegfds.lll
cvqaikxt.apk
datsobex.wwr
wincheck32.dats
winexpoder.dats
winzweier.dats
xdatxzap.zxp
zhcarxxi.vvx
W32/Sober-G harvests email addresses from files with the following extensions:
PMR, STM, SLK, INBOX, IMB, CSV, BAK, IMH, XHTML, IMM, IMH, CMS, NWS, VCF, CTL, DHTM, CGI, PP, PPT, MSG, JSP, OFT, VBS, UIN, LDB, ABC, PST, CFG, MDW, MBX, MDX, MDA, ADP, NAB, FDB, VAP, DSP, ADE, SLN, DSW, MDE, FRM, BAS, ADR, CLS, INI, LDIF, LOG, MDB, XML, WSH, TBB, ABX, ABD, ADB, PL, RTF, MMF, DOC, ODS, NCH, XLS, NSF, TXT, WAB, EML, HLP, MHT, NFO, PHP, ASP, SHTML, DBX
Emails sent by the worm can be sent in either English of German language.
The English language emails have the following characteristics:
Subject lines:
hi there
hey dude!
wazzup!!!
yeah dude :P
Details
Oh God i'ts
damn!
#
Registration confirmation
Confirmation
Your Password
Your mail account
Delivery failure notice
Faulty mail delivery
Mail delivery failed
Mailing Error
Illegal signs in E-Mail
Invalid mail length
Mail Delivery failure
mail delivery status
Warning!
error in dbase
DBase Error
ups, i've got your mail
Sorry, that's your mail
why do you do that?
Message texts:
I was surprised, too! :-( Who could suspect something like that?
All OK :) see, what i've found!
hi its me i've found a shity virus on my pc. check your pc, too! follow the
steps in this article. bye
I 've told you!:-) sometime I grab your passwords!
I hope you accept the result! Follow the instructions to read the message.
Please read the document
Registration confirmation
Confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://www.
++++ Mail To: User-info
*** Auto Mail Delivery System ***
67.28.114.32_failed_after_I_sent_the_message./Remote_host_said
:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered.
_This_account_has_been_disabled_ or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission The original message is a separate attachment.
--- Web: http://www.
--- Mail To: UserHelp
Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of +++ http://www. Mail
The attached file has a randomly generated name. Sometimes it will have a ZIP extension, but it can also arrive as an EXE file.