W32/Sober-P

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinINet
<Windows>\ConnectionStatus\services.exe

and delete it if it exists.

Close the registry editor.

W32/Sober-P is a mass-mailing worm.

When first run, a message box may be displayed with title 'Ms Paint' and containing the text 'Graphic Decoder not found'.

The email sent by W32/Sober-P depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:

Subject line: Fwd: Klassentreffen

Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry fr die belstigung ;)

liebe gr
Hannelore

Attached file: KlassenFoto.zip

Email sent to other addresses will have the following characteristics:

Subject line: Your new Password

Message text:
Your password was successfully changed!
Please see the attached file for detailed information.

Attached file: pword_change.zip

W32/Sober-P harvests email addresses from files on the computer.

When W32/Sober-P is installed the following files are created:

C:/vbbfgdtd.exe
<Windows>\ConnectionStatus\services.exe

These files are detected as W32/Sober-O. W32/Sober-P is a mass-mailing worm.

When first run, a message box may be displayed with title 'Ms Paint' and containing the text 'Graphic Decoder not found'.

W32/Sober-P creates a base64 encoded ZIP archived copy of itself in <Windows>\ConnectionStatus\netslot.nst.

The email sent by W32/Sober-P depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:

Subject line: Fwd: Klassentreffen

Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry fr die belstigung ;)

liebe gr
Hannelore

Attached file: KlassenFoto.zip

Email sent to other addresses will have the following characteristics:

Subject line: Your new Password

Message text:
Your password was successfully changed!
Please see the attached file for detailed information.

Attached file: pword_change.zip

W32/Sober-P harvests email addresses from files with the following strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

When W32/Sober-P is installed the following files are created:

C:/vbbfgdtd.exe
<Windows>\ConnectionStatus\services.exe

These files are detected as W32/Sober-O.

The following registry entry is created to run services.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinINet
<Windows>\ConnectionStatus\services.exe