W32/Sober-F

Please follow the instructions for removing worms.

W32/Sober-F is a mass mailing worm which sends itself to addresses harvested
from the local computer.

When first run the worm creates a TXT file called <executed file>.TXT in the Temp folder and displays its contents using NOTEPAD.EXE. The text file begins with the text:

"#Mail Transaction Failed
#This mail couldn't be converted
---------------- Damage #Mime base64# part ----------------
<random text>"

The worm copies itself to the Windows system folder as an EXE file with a name
that is constructed from the following:

sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32

and sets the following registry entry to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\<random name>= <SYSTEM>\<random file> %1

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random name>\<random name>= <SYSTEM>\<random file>

where <random file> is the name of the copy of the worm and <random name> is generated using the same word list.

W32/Sober-F may change the registry entry at the following location to run itself before EXE files:

HKCR\exefile\shell\open\command

W32/Sober-F also creates the following files in the Windows system folder:

BCEGFDS.LLL - zero byte file
SPOOFED_RECIPS.OCX - list of harvested email addresses
SYST32WIN.DLL - list of harvested email addresses
WINHEX32XX.WRM - base64 encoded version of the worm
WINSYS32XX.ZZP - base64 encoded ZIP archive of the worm
ZHCARXXI.VVX - zero byte file
ZMNDPGWF.KXX - zero byte file

W32/Sober-F harvests email addresses from files with the following extensions:

WAB, TBB, ABD, ADB, PL, CTL, DHTM, CGI, PP, PPT, MSG, JSP, OFT, VBS, UIN, LDB, ABC, PST, CFG, MDW, MBX, MDX, MDA, ADP, NAB, FDB, VAP, DSP, ADE, SLN, DSW, MDE, FRM, BAS, ADR, CLS, INI, LDIF, LOG, MDB, XML, WSH, ABX, ,ADB, RTF, MMF, DOC, ODS, NCH, XLS, NSF, TXT, EML, HLP, MHT, NFO, PHP, ASP, SHTML, DBX

Emails can be either in English or German and have the following characteristics:

Subject lines (English):

Details
Oh my God
Hey
Hi!
Hi, it's me
hey you
damn
Well, surprise?!
Info
Information
.
Faulty mail delivery
Mail delivery failed
Mail Error
Illegal signs in Mail-Routing
Connectio failed
Invalid mail sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Bad Gateway
Warning!
Your document

Message texts (English):

I was surprised, too! :-( Who could suspect something like that?

All OK :) see, what i've found!

hi its me i've found a shity virus on my pc. check your pc, too! follow the
steps in this article. bye

I 've told you!:-) sometime I grab your passwords!

I hope you accept the result! Follow the instructions to read the message.
Please read the document

Registration confirmation
Confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://www.
++++ Mail To: User-info

*** Auto Mail Delivery System ***
67.28.114.32_failed_after_I_sent_the_message./Remote_host_said
:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered.
_This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission The original message is a separate attachment.
--- Web: http://www.
--- Mail To: UserHelp

Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of +++ http://www. Mail: home

The message has been attached.

Database #Error -- Partial message is available! -- Error: llegal signs in
Mail-Routing -- Mail Server: ESMTP VX32.9 Version Betha Alpha

Anybody use your accounts! For further details see the attachment.

I have received your document. The corrected document is attached. greets corrected_text-file

The message text may end with the following:

Mail- Attachment: No suspicious Virus signatures
Mail Scanner: No Virus found
Anti-Virus: No Virus!

Subject lines (German):

Einzelheiten
Hallo Du!
Hallo!
Hey Du
Hi, Ich bin's
Ich bin es .-)
Verdammt
berrascht?!
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
ltige Mail-Satzl
Fehler in E-Mail
tigung
Registrierungs-Best
tigung
Ihr neues Passwort
Ihr Passwort
Datenbank-Fehler
Warnung!

Message texts (German):

Ich war auch ein wenig Wer konnte so etwas ahnen!? Lese selbst

Alles klaro bei dir? Schau mal was Ich gefunden habe!

Meinst Du das wirklich?

Sieh mal nach ob du den Scheiss auch bei dir drauf hast! Ist ein ziemlich
nervender Virus. Mach genau das, wie es im Text beschrieben ist! Bye

Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passwrter
rauszubekommen!!!

Details entnehmen Sie bitte dem Attachment NShere Informationen befinden
sich im Anhang.

*** Auto Mail Delivery System *** Ihre E-Mail konnte nicht gesendet oder
empfangen werden. Bitte attach: * End Transmission
--- Web: http://www.
--- Mail To: User-Hilfe

Passwort und Benutzername wurde erfolgreich ge Mail- Anhang: Keine verd chtigen Virus- Signaturen gefunden Ihre Benutzernamen und Passwrter befinden sich im Anhang dieser E-Mail ++++ Im www erreichbar unter: http://www. ++++ E-Mail: KundenInfo

Wegen eines Datenbank- Fehlers k Wenn Sie Unregelm
igkeiten festgestellt haben, melden Sie uns bitte umgehend den Datenverlust.
Vielen Dank f +++ Ein Service von

Internet Provider Abuse: Wir haben festgestellt, dass Sie illegale Internet-
Seiten besuchen. Bitte beachten Sie folgende Liste:

The message text may end with the following:

Mail- Anhang: Keine verdchtigen Virus- Signaturen gefunden
Mail Scanner: Kein Virus gefunden
Anti- Virus: Es wurde kein Virus erkannt

Attached file (extension PIF or ZIP):

Webmaster, Fehler-Info, Administrator, RobotMailer, AutoMailer, Dokumente,
Dokument, KurzText, Register, Service, Info, Passwort, Kundenservice, Liste,
Schwarze-Liste, Information, text, Textdocument, anitv_text, instructions,
your_article, your_passwords, messagedoc, admin, pass-message, database, help, check_this, Police