high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 16 May 2005 11:46:45 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
Troj/Sober-Q is a mass mailing spamming Trojan for the Windows platform.
Some of the spam emails sent out by the Trojan can have the following subject lines:
'4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass'
'Auf Streife durch den Berliner Wedding'
'Auslaender bevorzugt'
'Deutsche Buerger trauen sich nicht ...'
'Auslaenderpolitik'
'Blutige Selbstjustiz'
'Dresden 1945'
'Gegen das Vergessen'
'Deutsche werden kuenftig beim Arzt abgezockt'
'Tuerkei in die EU'
'Vorbildliche Aktion'
'60 Jahre Befreiung: Wer feiert mit?'
'Multi-Kulturell = Multi-Kriminell'
'Turkish Tabloid Enrages Germany with Nazi Comparisons'
'The Whore Lived Like a German'
'Armenian Genocide Plagues Ankara 90 Years On'
'Schily ueber Deutschland'
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/Sober-Q (detected as W32/Sober-Gen) since version 3.91. Troj/Sober-Q is a mass mailing spamming Trojan for the Windows platform.
The Trojan, once run, will create the folder %WINDOWS%\HELP\HELP. Troj/Sober-Q then attempts to copy itself to that folder as the following filenames:
csrss.ex
services.ex
smss.ex
Troj/Sober-Q then sets the following registry entries so as to run itself on user logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_SystemBoot
%WINDOWS%\Help\Help\services.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemBoot
%WINDOWS%\Help\Help\services.exe
The Trojan also creates a file Spammer.ReadMe.txt. Spammer.ReadMe.txt has the following contents:
"http://i-newswire.com/pr19707.html
http://www.ebcvg.com/press.php?id=965
Ich bin immer noch kein Spammer!
Aber sollte vielleicht einer werden :)
In diesem Sinne"
Spammer.ReadMe.txt is non-malicious and can be safely deleted.
Troj/Sober-Q harvests email addresses from files with the following extensions:
PMR STM SLK INBOX IMB CSV BAK IMH XHTML IMM IMH CMS NWS VCF CTL DHTM CGI PP PPT MSG JSP OFT VBS UIN LDB ABC PST CFG MDW MBX MDX MDA ADP NAB FDB VAP DSP ADE SLN DSW MDE FRM BAS ADR CLS INI LDIF LOG MDB XML WSH TBB ABX ABD ADB PL RTF MMF DOC ODS NCH XLS NSF TXT WAB EML HLP MHT NFO PHP ASP SHTML DBX
Email addresses retrieved by Troj/Sober-Q are stored in the created files SacriX.ggg and VonerX.von where X is a number. The file fastso.ber may also be created.
Troj/Sober-Q avoids sending email to addresses that contain any of the following strings:
ntp- ntp@ ntp. test@ @www @from. smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol time freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux google @foo. winzip @example. bellcore. @arin mozilla iana@ iana- @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock
The email sent by Troj/Sober-Q depends on the recipient address. The worm sends spam emails to recipients whose email address is in the .de, .ch, .at, .li domains or contains the following strings:
yahoo.com
yahoo.de
hotmail.com
hotmail.de
gmx.de
gmx.at
gmx.net
gmx.ch
Some of the spam emails sent out by the Trojan can have the following subject lines:
'4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass'
'Auf Streife durch den Berliner Wedding'
'Auslaender bevorzugt'
'Deutsche Buerger trauen sich nicht ...'
'Auslaenderpolitik'
'Blutige Selbstjustiz'
'Dresden 1945'
'Gegen das Vergessen'
'Deutsche werden kuenftig beim Arzt abgezockt'
'Tuerkei in die EU'
'Vorbildliche Aktion'
'60 Jahre Befreiung: Wer feiert mit?'
'Multi-Kulturell = Multi-Kriminell'
'Turkish Tabloid Enrages Germany with Nazi Comparisons'
'The Whore Lived Like a German'
'Armenian Genocide Plagues Ankara 90 Years On'
'Schily ueber Deutschland'
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/Sober-Q (detected as W32/Sober-Gen) since version 3.91.
|
