high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 15 November 2005 08:03:53 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Sober-S is a mass-mailing worm.
The email sent by W32/Sober-S depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Ihre eMail!
Message text:
Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
Tabelle jemand schickte mir eine Mail mit einer Excel oder Access Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber zu meiner gekommen??? Ist wohl irgendein Fehler.
Attached file: Tabelle.zip
OR
Subject line: Your email
Message text:
Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient, the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....
Attached file: excel_table.zip W32/Sober-S is a mass-mailing worm.
The email sent by W32/Sober-S depends on the recipient address.
The email characteristics will be one of the following:
Subject line: Ihre eMail!
Message text:
Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
Tabelle jemand schickte mir eine Mail mit einer Excel oder Access Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber zu meiner gekommen??? Ist wohl irgendein Fehler.
Attached file: Tabelle.zip
OR
Subject line: Your email
Message text:
Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient, the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....
Attached file: excel_table.zip
W32/Sober-S harvests email addresses from files with the following strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx
When W32/Sober-S is installed the following files are created:
<Windows>\hjgerhds.exe
<Windows>\ConnectionStatus\Microsoft\services.exe
These files are detected as W32/Sober-S.
The following registry entry is created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCheck
<Windows>\ConnectionStatus\Microsoft\services.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
_WinCheck
<Windows>\ConnectionStatus\Microsoft\services.exe
W32/Sober-S creates the following files in the windows system folder.
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
These files may be deleted.
|
