high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 19 April 2005 02:07:44 (GMT) |
| Last updated | 20 April 2005 01:16:16 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sober-M is a mass-mailing worm.
The email sent by W32/Sober-M depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:
Subject line: FwD: Ich bin's nochmal
Message text:
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!
Ich melde mich.
Bis bald ;)
Attached file: Private-Texte.zip
Email sent to other addresses will have the following characteristics:
Subject line: I've_got your EMail on my_account!
Message text:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you.
I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
Attached file: your_text.zip
W32/Sober-M harvests email addresses from files with the following strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx
W32/Sober-M avoids sending email to addresses that contain any of the following strings:
@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock W32/Sober-M is a mass-mailing worm.
When first run, W32/Sober-M opens Notepad and displays a body of text that starts:
UnPack failed
W32/Sober-M copies itself to the following location:
%WINDOWS%\Config\system\services.exe
and creates the following registry entries to ensure it is run at system logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_SystemCheck
%WINDOWS%\Config\system\services.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemCheck
%WINDOWS%\Config\system\services.exe
W32/Sober-M creates a base64 encoded ZIP archived copy of itself in the following location:
%WINDOWS%\Config\system\zipped.wrm
as well as the harmless data file maddys.xyz which can be deleted.
W32/Sober-M also creates the following data files:
%SYSTEM%\adcmmmmq.hjg
%SYSTEM%\langeinf.lin
%SYSTEM%\nonrunso.ber
%SYSTEM%\xcvfpokd.tqa
The email sent by W32/Sober-M depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:
Subject line: FwD: Ich bin's nochmal
Message text:
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!
Ich melde mich.
Bis bald ;)
Attached file: Private-Texte.zip
Email sent to other addresses will have the following characteristics:
Subject line: I've_got your EMail on my_account!
Message text:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you.
I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
Attached file: your_text.zip
W32/Sober-M harvests email addresses from files with the following strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx
W32/Sober-M avoids sending email to addresses that contain any of the following strings:
@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock
|
