W32/Sober-O

Please follow the instructions for removing worms.

W32/Sober-O is a mass-mailing worm.

When W32/Sober-O is installed the following files are created:

<Windows>\ConnectionStatus\services.exe

W32/Sober-O also creates the following registry entries so as to auto-start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinINet
<Windows>\ConnectionStatus\services.exe

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
_WinINet
<Windows>\ConnectionStatus\services.exe

and modify the following registry entry:

HKCR\exefile\shell\open\command

W32/Sober-O creates a base64 encoded ZIP archived copy of itself in the following location:

<Windows>\ConnectionStatus\netslot.nst

The email sent by W32/Sober-O depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:

Subject line: Fwd:

Klassentreffen

Message text:

hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry fr die belstigung ;)

liebe gr
Hannelore

Attached file:

KlassenFoto.zip

Email sent to other addresses will have the following characteristics:

Subject line:

Your new Password

Message text:

Your password was successfully changed!
Please see the attached file for detailed information.

Attached file:

pword_change.zip

W32/Sober-O harvests email addresses from files with the following strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx