W32/Sober-S is a mass-mailing worm.
The email sent by W32/Sober-S depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Ihre eMail!
Message text:
Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
Tabelle jemand schickte mir eine Mail mit einer Excel oder Access Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber zu meiner gekommen??? Ist wohl irgendein Fehler.
Attached file: Tabelle.zip
OR
Subject line: Your email
Message text:
Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient, the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....
Attached file: excel_table.zip
W32/Sober-S is a mass-mailing worm.
The email sent by W32/Sober-S depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Ihre eMail!
Message text:
Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
Tabelle jemand schickte mir eine Mail mit einer Excel oder Access Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber zu meiner gekommen??? Ist wohl irgendein Fehler.
Attached file: Tabelle.zip
OR
Subject line: Your email
Message text:
Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient, the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....
Attached file: excel_table.zip
W32/Sober-S harvests email addresses from files with the following strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx
When W32/Sober-S is installed the following files are created:
<Windows>\hjgerhds.exe
<Windows>\ConnectionStatus\Microsoft\services.exe
These files are detected as W32/Sober-S.
The following registry entry is created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCheck
<Windows>\ConnectionStatus\Microsoft\services.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
_WinCheck
<Windows>\ConnectionStatus\Microsoft\services.exe
W32/Sober-S creates the following files in the windows system folder.
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
These files may be deleted.