high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | January 2006 (4.01) |
| Protection available since | 15 November 2005 17:36:48 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Sober-V
More Information
W32/Sober-V is a mass-mailing worm for the Windows platform.
When first run, a message box may be displayed with the title "MS Outlook" and containing the text "Error in Outlook-Key".
The email characteristics will be one of the following, depending on the recipient's address:
Subject line:
Your eMail Password
Message text:
Thanks for your registration! Your registration will not be complete until you re-confirm it. Please read the following agreement. If you accept it, click the "accept" to complete your registration!
Attached file:
Accept_e-Text.zip
Subject line:
Wichtig: Meine neue Mail Adresse!
Message text:
hi du,,, ike bin et
Musste mir leider ne neue Mail-Addy machen. Meine alte wird nur noch zu gemuellt mit Spam.
Habe dir auch gleich die Datei mitgeliefert die du immer haben wolltest. Ist aber ziemlich per....
Ok, man sieht sich
Attached file:
Mail-Datei.zip
W32/Sober-V harvests email addresses from files with the following strings in their filenames:
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml
W32/Sober-V is a mass-mailing worm for the Windows platform.
When first run, a message box may be displayed with the title "MS Outlook" and containing the text "Error in Outlook-Key".
The email characteristics will be one of the following, depending on the recipient's address:
Subject line:
Your eMail Password
Message text:
Thanks for your registration! Your registration will not be complete until you re-confirm it. Please read the following agreement. If you accept it, click the "accept" to complete your registration!
Attached file:
Accept_e-Text.zip
Subject line:
Wichtig: Meine neue Mail Adresse!
Message text:
hi du,,, ike bin et
Musste mir leider ne neue Mail-Addy machen. Meine alte wird nur noch zu gemuellt mit Spam.
Habe dir auch gleich die Datei mitgeliefert die du immer haben wolltest. Ist aber ziemlich per....
Ok, man sieht sich
Attached file:
Mail-Datei.zip
W32/Sober-V harvests email addresses from files with the following strings in their filenames:
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml
When W32/Sober-V is installed, the following files are created:
<Windows folder>\vdfgvxvy.exe
<Windows folder>\ConnectionStatus\Microsoft\services.exe
The following registry entries are created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCheck
<Windows folder>\ConnectionStatus\Microsoft\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_WinCheck
<Windows folder>\ConnectionStatus\Microsoft\services.exe
W32/Sober-V creates the following files in the Windows system folder:
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
These files are harmless and may be deleted safely.
|
