| |
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms
Email-Worm.Win32.Sober.e
Other versions: .a, .c, .f, .g, .j, .n, .p, .q, .s, .v, .y
Email-Worm.Win32.Sober.e (Kaspersky Lab)
is also known as:
I-Worm.Sober.e (Kaspersky Lab),
W32/Sober.e@MM (McAfee), W32.Sober.E@mm (Symantec), Win32.HLLM.Generic.283 (Doctor Web), W32/Sober-E (Sophos), Win32/Sober.E@mm (RAV), WORM_SOBER.E (Trend Micro), Worm/Sober.E (H+BEDV), W32/Sober.E@mm (FRISK), Win32:Sober-E (ALWIL), I-Worm/Sober.E (Grisoft), Win32.Sober.E@mm (SOFTWIN), Worm.Sober.E (ClamAV), W32/Sober.E.worm (Panda), Win32/Sober.E (Eset)
This worm spreads via the Internet as an attachment to infected messages.
Characteristics of infected messages
Message header:
Chosen at random from the list below:
Hey!
hey?
Hi
hi
Hi :-)
Ok ;-)
OK OK
OK Ok OK!
Message body:
The message body consists of a few words, chosen at random from the list below:
;-)
HA :-)
ha!
lol
LoL
LOL
thx
THX
Thx!
yo!
Attachment:
A file named graphic_textdocument.pif.
Installation
When launching, the worm opens a Microsoft Paint window.
The worm copies itself to the Windows system directory under a randomly created
name (e.g. smss32dir.exe or diagspool.exe) and adds an autorun key for this
file to the registry.
Propagation
The worm searches files with extensions .rtf, .doc, .xls, .txt, .wab, .eml,
.php, .asp, .shtml, .dbx etc., and sends infected messages to all email addresses
harvested from these files.
| |
