[virusinfo] W32/Sober-L

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 07 Mar 2005 14:46:46 -0800

From; Sophos Alert System:

Name: W32/Sober-L
Type: Win32 worm
Date: 7 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

Sophos has received several reports of this worm from the wild.


Information about W32/Sober-L can be found at:
http://www.sophos.com/virusinfo/analyses/w32soberl.html

W32/Sober-L is a mass-mailing worm which sends itself to addresses harvested 
from the infected computer. 
When first run, W32/Sober-L will open Notepad and display a body of text that 
starts: 
Mail-Text:
Unzip failed 
W32/Sober-L will copy itself to a subfolder of the Windows folder named 
\MSAGENT\SYSTEM with the filename SMSS.EXE. In order to run automatically each 
time a user logs on, W32/Sober-L will continually set the following registry 
entries: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
" Services.dll"
<Windows folder>\msagent\system\smss.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_Services.dll
<Windows folder>\msagent\system\smss.exe 
W32/Sober-L also creates the following data files: 
\msagent\win32\emdata.mmx
\msagent\win32\zipzip.zab
\read.me
\nonrunso.ber
\stopruns.zhz
\xcvfpokd.tqa 
The READ.ME file contains the following text: 
test test test 
In diesem Sinne:
Odin alias Anon 
W32/Sober-L will attempt to terminate processes with names containing the 
following strings: 
gcas, gcip, giantanti, stinger, hijackthis 
W32/Sober-L harvests email addresses from files with the following strings in 
their filenames: 
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi 
pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp 
ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf 
mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx 
W32/Sober-L avoids sending email to addresses that contain any of the following 
strings: 
ntp- ntp@ ntp. test@ office @www @from. support smtp- @smtp. gold-certs ftp. 
.dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ 
reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ 
.kundenserver. mailer-daemon variabel password noreply -dav law2 .sul.t- 
.qmail@ t-ipconnect t-dialin ipt.aol time postmas service freeav @ca. abuse 
winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux 
google @foo. winzip @example. bellcore. @arin mozilla @iana @avp icrosoft. 
@sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. 
@messagelab nlpmail01. clock 
The email sent by W32/Sober-L depends on the recipient address. Emails sent to 
recipients whose email address is in the .de, .ch, .at, .li domains or contains 
the string "gmx." will receive an email as follows: 
Subject line: 
Ich habe Ihre E-Mail bekommen! 
Message text: 
Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist. 
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt. 
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese Dinger nicht 
mehr auf meinem Account landen, es Nervt naemlich. 
Gruss 
Attached file: 
MailTexte.zip 
Email sent to other addresses will have the following characteristics: 
Subject line: 
Your Password & Account number 
Message text: 
hi, 
i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think. 
i've copied the full mail text in the Windows text-editor & zipped. 
ok, cya... 
Attached file: 
acc_text.zip 
The ZIP file will contain an executable file named mail_text-data.txt.pif 
The From address line will be faked. 

This IDE file also includes detection for:

W32/Sober-Gen
http://www.sophos.com/virusinfo/analyses/w32sobergen.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sober-l.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sober-L
• » [virusinfo] W32/Sober-L

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---