From; Sophos Alert System: Name: W32/Sober-G Aliases: I-Worm.Sober.g, W32/Sober.g@MM Type: Win32 worm Date: 14 May 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the July 2004 (3.83) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. Sophos has received several reports of this worm from the wild. Information about W32/Sober-G can be found at: http://www.sophos.com/virusinfo/analyses/w32soberg.html Description W32/Sober-G is a mass mailing worm that sends itself to email addresses harvested from the infected computer. When started it copies itself to the Windows system folder and sets the following registry entry so as to auto-start on user logon: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ logcrypt = <path_to_exe>\<exename>.exe %1 When first run the worm creates a TXT file called in the Temp folder and displays its contents using NOTEPAD.EXE. The text file begins with the text: File not found Special -UnZip Data- Module is missing Open with Notepad? Converted_ notepad The worm copies itself to the Windows system folder as an EXE file with a name that is constructed from the following: sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32 W32/Sober-G also creates the following files used to store harvested information in the Windows system folder: bcegfds.lll cvqaikxt.apk datsobex.wwr wincheck32.dats winexpoder.dats winzweier.dats xdatxzap.zxp zhcarxxi.vvx W32/Sober-G harvests email addresses from files with the following extensions: PMR, STM, SLK, INBOX, IMB, CSV, BAK, IMH, XHTML, IMM, IMH, CMS, NWS, VCF, CTL, DHTM, CGI, PP, PPT, MSG, JSP, OFT, VBS, UIN, LDB, ABC, PST, CFG, MDW, MBX, MDX, MDA, ADP, NAB, FDB, VAP, DSP, ADE, SLN, DSW, MDE, FRM, BAS, ADR, CLS, INI, LDIF, LOG, MDB, XML, WSH, TBB, ABX, ABD, ADB, PL, RTF, MMF, DOC, ODS, NCH, XLS, NSF, TXT, WAB, EML, HLP, MHT, NFO, PHP, ASP, SHTML, DBX Emails sent by the worm have the following characteristics: Subject lines: hi there hey dude! wazzup!!! yeah dude :P Details Oh God i'ts damn! # Registration confirmation Confirmation Your Password Your mail account Delivery failure notice Faulty mail delivery Mail delivery failed Mailing Error Illegal signs in E-Mail Invalid mail length Mail Delivery failure mail delivery status Warning! error in dbase DBase Error ups, i've got your mail Sorry, that's your mail why do you do that? Message texts: I was surprised, too! :-( Who could suspect something like that? All OK :) see, what i've found! hi its me i've found a shity virus on my pc. check your pc, too! follow the steps in this article. bye I 've told you!:-) sometime I grab your passwords! I hope you accept the result! Follow the instructions to read the message. Please read the document Registration confirmation Confirmation Your Password Your mail account Your password was changed successfully. Protected message is attached. ++++ Service: http://www. ++++ Mail To: User-info *** Auto Mail Delivery System *** 67.28.114.32_failed_after_I_sent_the_message./Remote_host_said :_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered. _This_account_has_been_disabled_ or_discontinued_[#102]._-_mta134.mail.dcn.com ** End of Transmission The original message is a separate attachment. --- Web: http://www. --- Mail To: UserHelp Read the attachment for details. Bad Gateway: The message has been attached. +++ A service of +++ http://www. Mail The attached file has a randomly generated name and a ZIP extension. Recovery Please follow the instructions for removing worms. Download the IDE file from: http://www.sophos.com/downloads/ide/sober-g.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member