|
| |
|
Malware Description Search |
|
|
| | |
|
|
| |
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms
Email-Worm.Win32.Sober.c
Other versions: .a, .e, .f, .g, .j, .n, .p, .q, .s, .v, .y
Email-Worm.Win32.Sober.c (Kaspersky Lab)
is also known as:
I-Worm.Sober.c (Kaspersky Lab),
W32/Sober.c@MM (McAfee), W32.Sober.C@mm (Symantec), Win32.HLLM.Generic.265 (Doctor Web), W32/Sober-C (Sophos), Win32/Sober.C@mm (RAV), WORM_SOBER.C (Trend Micro), Worm/Sober.C1 (H+BEDV), W32/Sober.C@mm (FRISK), Win32:Sober-C (ALWIL), I-Worm/Sober.C (Grisoft), Win32.Sober.C@mm (SOFTWIN), Worm.Sober.C1 (ClamAV), W32/Sober.C.worm (Panda), Win32/Sober.C (Eset)
Sober.c is a worm that spreads via the Internet as an attachment to infected
emails. The worm itself is Windows PE EXE file about 73KB (the file size can
be changed by the worm during installation). The worm file is compressed by
UPX, decompressed size - about 260KB.
The infected messages have various subjects, body texts and attached file names.
The attached file extension is randomly selected from variants: "bat", "cmd",
"pif", "scr", "exe" and "com".
For example:
Subject:
why me?
Body:
You say in the www. that i'm a terrorist!!!
No way out for you. I REPORT YOU !
You've said THAT about me
Attachment:
terror-list.com
The worm activates from infected email only if a user clicks on attachment.
Installation
During installation the worm copies itself three times to the Windows system
directory with random names and registers these files in the system registry
auto-run keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<random name>" = "%System%\<worm exe name>"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<random name>" = "%System%\<worm exe name>"
for example: "jv32dirxpcon = xqdrv.exe"
The worm then displays a fake error message:
Propagation
The worm looks for disk files with following extensions:
htt
rtf
doc
xls
ini
mdb
txt
htm
html
wab
pst |
fdb
cfg
ldb
eml
abc
ldif
nab
adp
mdw
mda
mde |
ade
sln
dsw
dsp
vap
php
asp
shtml
shtm |
and scans them for email-like text strings, and then sends infected messages
to the email addresses it finds using an SMTP engine.
The subject in infected emails is randomly selected from following variants:
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Registration confirmation
registration confirmation
The body text is selected from the following variants:
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Registration confirmation
registration confirmation
The body text is selected from the following variants:
i'm very very sorry, anybody have sent your mail to my address.
sorry for my bad english, I am a Swede!
excuse for my bad english, but I'm a Dutchman
I've got your mail, but its came on my mail address??? i've read this mail
,,, sorry about that excuse for my bad english, but I'm a Dutchman
I don't know how to start this! I'm dull,, can you test!?
Here, the DigiCam photos. A few are overexposed.
That you've killed this bastard. Your reward:
That you have paid for me! And that's your
Caution: To all gamers A new worm spread via online gaming! You must change
your internet
configuration!! see: www.onlinegamerspro-worm.com set_config.
Attention: To all gamers
More than 75.000 freeware games!!! Genre: -> 8500 online games = 3D
Shooter, RPG, Action, Adventure, ... non online games: -> Action = 4200
games -> 3D Shooter's = 7500 games -> RPG's = 6800 games -> Adventure's =
5400 games -> ROM's for NES, SNES, PS1&2, GC ,GB, MD, SMS, .. = 29.000
ROM's - others = 16900 games all free!! Download and enjoy downloader.exe
www.freegames4you-gzone.com
I-Worm.Sober
You say in the www. that i'm a terrorist!!! No way out for you. I REPORT YOU
! You've said THAT about me
Thanks for your registration. ( We say Sorry again, the first mail was delivered
to an unknown
mail address. This was a bug in our mailing system! ) The amount of 239.- USD
was deducted by
your xxx Welcome, you can now visit more than 1200 very very hot web pages!
Your registration,
pages and passwords are xxx in the attachment.
I said, I love you..,, and you said NOTHING. And now,,, Go Away From Me Here
are my
love-letter((s)) mock me mock me again and again . Enjoy it. blablabla GO!
You get the charge in writing, in the next days.
In the next days you will receive the charge in writing.
In the next days, you'll get the charge in writing.
In the next days, you'll get the charge in writing.
Ladies and Gentlemen, Downloading of Movies, MP3s and Software is illegal
and punishable by law. We hereby inform you that your computer was scanned
under the IP xxx. The contents of your computer were confiscated as an
evidence, and you will be indicated. In the next days, you'll get the
charge in writing. In the Reference code: #xxx, are all files, that we
found on your computer. The sender address of this mail was masked,
xxx- You get more detailed information by the Federal Bureau of
Investigation -FBI-- Department for Illegal Internet Downloads, Room 7350 -
935 Pennsylvania Avenue - Washington, DC 20535, USA - (202) 324-3000
In the next days, you'll get the charge in writing.
e.t.c.
The attachment name is also randomly selected.
| | |
|
