[virusinfo] W32/Sober-M

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 19 Apr 2005 08:45:33 -0700

From; Sophos Alert System:

Name: W32/Sober-M
Type: Win32 worm
Date: 19 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Sober-M can be found at:
http://www.sophos.com/virusinfo/analyses/w32soberm.html

W32/Sober-M is a mass-mailing worm. 
When first run, W32/Sober-M opens Notepad and displays a body of text that 
starts: 
UnPack failed 
W32/Sober-M copies itself to the following location: 
%WINDOWS%\Config\system\services.exe 
and creates the following registry entries to ensure it is run at system logon: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_SystemCheck
%WINDOWS%\Config\system\services.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemCheck
%WINDOWS%\Config\system\services.exe 
W32/Sober-M creates a base64 encoded ZIP archived copy of itself in the 
following location: 
%WINDOWS%\Config\system\zipped.wrm 
as well as the harmless data file maddys.xyz which can be deleted. 
W32/Sober-M also creates the following data files: 
%SYSTEM%\adcmmmmq.hjg
%SYSTEM%\langeinf.lin
%SYSTEM%\nonrunso.ber
%SYSTEM%\xcvfpokd.tqa 
The email sent by W32/Sober-M depends on the recipient address. Emails sent to 
recipients whose email address is in the .de, .ch, .at, .li domains or contains 
the string "gmx." will receive an email as follows: 
Subject line: FwD: Ich bin's nochmal 
Message text:
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken. 
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode 
blamieren! 
Ich melde mich.
Bis bald ;) 
Attached file: Private-Texte.zip 
Email sent to other addresses will have the following characteristics: 
Subject line: I've_got your EMail on my_account! 
Message text:
Hello,
First, Very Sorry for my bad English. 
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you. 
I have copied all the mail text in the windows text-editor for you & zipped 
then.
Make sure, that this mails don't come in my mail-box again. 
bye 
Attached file: your_text.zip 
W32/Sober-M harvests email addresses from files with the following strings in 
their filenames: 
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi 
pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp 
ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf 
mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx 
W32/Sober-M avoids sending email to addresses that contain any of the following 
strings: 
@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone nothing 
you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname 
mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca. abuse 
winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux 
@foo. winzip @example. bellcore. @arin @iana @avp icrosoft. @sophos @panda 
@kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. 
clock 

Download the IDE file from:
http://www.sophos.com/downloads/ide/sober-m.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sober-M
• » [virusinfo] W32/Sober-M
• » [virusinfo] W32/Sober-M

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---