W32/Sober-C

Please follow the instructions for removing W32/Sober-C.

W32/Sober-C is an internet worm which spreads via file sharing on peer-to-peer networks and by emailing itself to addresses found within files on the computer.

The email subject line and message text are randomly chosen from internal lists and will be in either English or German. The attachment filename is also randomly chosen from an internal list and can have an extension of EXE, SCR, PIF, COM, CMD or BAT. See below for further details.

When first run, the worm copies itself to the Windows system folder as syshostx.exe and two other randomly selected filenames.

W32/Sober-C then creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random characters>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random characters>

that point to the two copies of the worm with randomly selected filenames to ensure it is run at system logon.

The following files are also created in the Windows system folder:

ms16taskwin.exe
savesyss.dll
Humgly.lkur
yfjq.yqwm

These files are not malicious and can simply be deleted.

W32/Sober-C copies itself to the My Shared Folder in the KaZaA folder replacing existing executables that have an extension of COM, EXE, SCR, BAT, CMD or PIF.

German attachment filenames:
Klassenfoto
www.iq4you-german-test.com
BaB
SysDial-patch.
aktenz<random number>
haha_sehr_witzig
DrohMails
RTL-DSDS-anmelde
www.free4manga.com
Zugangsdaten
www.free4share4you.com
sharedfree
www.tagespolitik-umfragen.com
Abstimmen
meld dich einfachremove-<randomly generated>.exe
test
alledigis

English attachment filenames:
yourmail
photos
reward
youtoo
www.onlinegamerspro-worm.com
set_config
downloader.exe
www.freegames4you-gzone.com
painfulness
www.boards4all-terror432.com
terror-list
yourregistration
letters
refcode<random number>
remove-<randomly generated>_tool.exe
remove<random generated>-patch.exe
www.anime4allfree.com
www.animepage43252.com
mangaconection

German subject lines:
Betr: Klassentreffen
Testen Sie ihren IQ
Bankverbindungs- Daten
Neuer Dialer Patch!
Ermittlungsverfahren wurde eingeleitet
Ihre IP wurde geloggt
Sie sind ein Raubkopierer
Sie tauschen illegal Dateien aus
Ich hasse dich
Ich zeige sie an!
Sie Drohen mir!!
Anime, Pokemon, Manga, Handy ...
Anmeldebestotigung
Neu! Legales Filesharing
Umfrage: Rente erst mit 80!
du wirst ausspioniert
Ein Trojaner ist auf Ihrem Rechner!
Du hast einen Trojaner drauf!
Hi, Ich bin's

English subject lines:
ups, i've got your mail
Sorry, that's your mail
hi, its me
Thank You very ver much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal file sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...

German message texts begin:
Hallo, ich hoffe das ich jetzt mal ...
Guten Tag, sind Sie auch der Meinung das Sie intelligenter sind, ...
Sehr geehrte Frau Meiers, ...
Seit einiger Zeit kursieren wieder gef ...
Sehr geehrte Damen und Herren, das herunterladen von Filmen, Software und MP3s ist illegal und somit Strafbar. ...
Wenn Du meinst mich beleidigen zu ...
Wenn Sie meinen mir DROHEN zu ...
Deutschland Sucht Den Deutschland Sucht Den Superstar (DSDS) auf RTL. ...
RTL: DSDS Deutschland Sucht Den Superstar (DSDS) auf RTL. ...
Guten Tag, da immer mehr unseri ...
Sehr geehrter Kunde, Vielen Dank ...
Sitzt Ihnen immer die Angst im Nacken, wenn Sie sich MP3's herunterladen? ...
Sie Lesen richtig!! Das sind die neuen, noch geheimen ...
Juten Tach, Habe mal einen internet port scan ...
Ich bin wahrscheinlich zu ...
Hier die Digi-Cam Bilder. Manche sind nix geworden! ...

English message texts begin:
i'm very very sorry, anybody have sent your mail to my address. ...
I've got your mail, but its came on my mail address??? ...
I don't know how to start this! I'm dull,, can you test!? ...
Here, the DigiCam photos. A few are overexposed. ...
That you've killed this bastard. Your reward: ...
That you have paid for me! And that's your ...
Caution: To all gamers A new worm spread via online gaming! ...
To all gamers More than 75.000 freeware games!!! ...
why do you do that? idiot. ...
You say in the www. that i'm a terrorist!!! No way out for you. I REPORT YOU ! ...
Registration confirmation Thanks for your registration. ...
I said, I love you..,, and you said NOTHING And now,,, Go Away From Me ...
Ladies and Gentlemen, Downloading of Movies, MP3s and Software is illegal and punishable by law. ...
NEW! More than 84.000 entries on our page: ...
hi, I am from <random country> and you'll don't believe me, but a trojan horse in on your ...
hello, I am from <random country> and you'll don't believe me, but a trojan horse in on your ...
(where <random country> is Austria, Switzerland, Norway, Denmark, Spain or Belgium.)