W32/Sober-X

Please follow the instructions for removing worms.

W32/Sober-X emails messages in German to addresses found in files on the hard
disk.

When first run, a message box may be displayed with the title "WinZip" and containing the text "Error in Packed Data Header". W32/Sober-X emails messages in German to addresses found in files on the hard
disk. The Trojan searches for email addresses in files whose names contain the
following strings:

pmr stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt
msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln
dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc
ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

W32/Sober-X does not send mail to any address which contains the following
strings:

@www @from. smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe mantec
announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure
msdn. me@ whatever@ whoever@ anywhere yourname mustermann@ .kundenserver.
mailer-daemon variabel -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol
time freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection
icrosoft ewido. emsisoft @foo. winzip @example. bellcore. @arin mozilla @iana
@avp @msn @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai.
@messagelab nlpmail01. clock

W32/Sober-X creates the following empty files in the Windows system folder.

bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst

When first run, a message box may be displayed with the title "WinZip" and containing the text "Error in Packed Data Header".

Copies of the worm may be created in the following locations:

<Windows>\hhbveeed.exe
<Windows>\ConnectionStatus\Microsoft\services.exe