[virusinfo] W32/Sober-G

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 14 May 2004 18:37:57 -0700

From; Sophos Alert System:

Name: W32/Sober-G
Aliases: I-Worm.Sober.g, W32/Sober.g@MM
Type: Win32 worm
Date: 14 May 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the July 2004 (3.83) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.


Sophos has received several reports of this worm from the wild.


Information about W32/Sober-G can be found at:
http://www.sophos.com/virusinfo/analyses/w32soberg.html
Description 
W32/Sober-G is a mass mailing worm that sends itself to email addresses
harvested from the infected computer. When started it copies itself to the
Windows system folder and sets the following registry entry so as to
auto-start on user logon: 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
logcrypt = <path_to_exe>\<exename>.exe %1 

When first run the worm creates a TXT file called in the Temp folder and
displays its contents using NOTEPAD.EXE. The text file begins with the text:


File not found
Special -UnZip Data- Module is missing
Open with Notepad?
Converted_
notepad 

The worm copies itself to the Windows system folder as an EXE file with a
name
that is constructed from the following: 

sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool,
service, smss32 

W32/Sober-G also creates the following files used to store harvested
information in the Windows system folder:
bcegfds.lll
cvqaikxt.apk
datsobex.wwr
wincheck32.dats
winexpoder.dats
winzweier.dats
xdatxzap.zxp
zhcarxxi.vvx 

W32/Sober-G harvests email addresses from files with the following
extensions: 

PMR, STM, SLK, INBOX, IMB, CSV, BAK, IMH, XHTML, IMM, IMH, CMS, NWS, VCF,
CTL, DHTM, CGI, PP, PPT, MSG, JSP, OFT, VBS, UIN, LDB, ABC, PST, CFG, MDW,
MBX, MDX, MDA, ADP, NAB, FDB, VAP, DSP, ADE, SLN, DSW, MDE, FRM, BAS, ADR,
CLS, INI, LDIF, LOG, MDB, XML, WSH, TBB, ABX, ABD, ADB, PL, RTF, MMF, DOC,
ODS, NCH, XLS, NSF, TXT, WAB, EML, HLP, MHT, NFO, PHP, ASP, SHTML, DBX 

Emails sent by the worm have the following characteristics: 

Subject lines: 

hi there
hey dude!
wazzup!!!
yeah dude :P
Details
Oh God i'ts
damn!
#
Registration confirmation
Confirmation
Your Password
Your mail account
Delivery failure notice
Faulty mail delivery
Mail delivery failed
Mailing Error
Illegal signs in E-Mail
Invalid mail length
Mail Delivery failure
mail delivery status
Warning!
error in dbase
DBase Error
ups, i've got your mail
Sorry, that's your mail
why do you do that? 

Message texts: 

I was surprised, too! :-( Who could suspect something like that? 

All OK :) see, what i've found! 

hi its me i've found a shity virus on my pc. check your pc, too! follow the
steps in this article. bye 

I 've told you!:-) sometime I grab your passwords! 

I hope you accept the result! Follow the instructions to read the message.
Please read the document 

Registration confirmation
Confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://www.
++++ Mail To: User-info 

*** Auto Mail Delivery System ***
67.28.114.32_failed_after_I_sent_the_message./Remote_host_said
:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered.
_This_account_has_been_disabled_
or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission The original message is a separate attachment.
--- Web: http://www.
--- Mail To: UserHelp 

Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of +++ http://www. Mail 

The attached file has a randomly generated name and a ZIP extension. 
 
 
Recovery 
Please follow the instructions for removing worms. 

Download the IDE file from:
http://www.sophos.com/downloads/ide/sober-g.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sober-G

1. Home
2. virusinfo
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---