W32/Sober-L

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Sober-L is a mass-mailing worm for the Windows platform.

Emails sent by the worm will have the following characteristics:

Subject line:

Ich habe Ihre E-Mail bekommen!

or

Your Password & Account number

Message text:

Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.

Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.

Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.

Gruss

or

hi,

i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.

i've copied the full mail text in the Windows text-editor & zipped.

ok, cya...

Attached file:

MailTexte.zip

or

acc_text.zip W32/Sober-L is a mass-mailing worm which sends itself to addresses harvested from the infected computer.

When first run, W32/Sober-L will open Notepad and display a body of text that starts:

Mail-Text:
Unzip failed

W32/Sober-L will copy itself to a subfolder of the Windows folder named \MSAGENT\SYSTEM with the filename SMSS.EXE. In order to run automatically each time a user logs on, W32/Sober-L will continually set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
" Services.dll"
<Windows folder>\msagent\system\smss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_Services.dll
<Windows folder>\msagent\system\smss.exe

W32/Sober-L also creates the following data files:

\msagent\win32\emdata.mmx
\msagent\win32\zipzip.zab
\read.me
\nonrunso.ber
\stopruns.zhz
\xcvfpokd.tqa

The READ.ME file contains the following text:

test test test

In diesem Sinne:
Odin alias Anon

W32/Sober-L will attempt to terminate processes with names containing the following strings:

gcas, gcip, giantanti, stinger, hijackthis

W32/Sober-L harvests email addresses from files with the following strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

W32/Sober-L avoids sending email to addresses that contain any of the following strings:

ntp- ntp@ ntp. test@ office @www @from. support smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel password noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol time postmas service freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux google @foo. winzip @example. bellcore. @arin mozilla @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock

The email sent by W32/Sober-L depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:

Subject line:

Ich habe Ihre E-Mail bekommen!

Message text:

Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.

Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.

Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.

Gruss

Attached file:

MailTexte.zip

Email sent to other addresses will have the following characteristics:

Subject line:

Your Password & Account number

Message text:

hi,

i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.

i've copied the full mail text in the Windows text-editor & zipped.

ok, cya...

Attached file:

acc_text.zip

The ZIP file will contain an executable file named mail_text-data.txt.pif

The From address line will be faked.