FRISK Software International


Summary of W32/Sober.A@mm
Length: 66.186
Discovered: 24 Oct 2003
Definition files: 24 Oct 2003
Risk Level: Low
Distribution:Low
Infection Method:Mass mailing
 
Jump to:
Brief description
Removal Instructions

Brief Description
W32/Sober.A@mm is is a upx-packed mass mailing worm 66.186 bytes in size. The worm has its own SMTP engine and uses that to spread.

The worm copies itself to the Windows system directory, then it adds the following to the registry so it will be automaticaly run each time the computer is restarted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"syspath"=%System%\drv.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syspath"=%System%\drv.exe


Removal Instructions


If you run the OnDemand Scanner regularly it can be used to disinfect but some viruses, such as Sober.A, cannot be disinfected in Windows. This is caused by the fact that the virus infects files that Windows uses while running. Thus F-Prot Antivirus cannot access the files to disinfect and it is necessary to disinfect using the DOS scanner (for Windows 95/98/ME) or the Command-line scanner (for Windows NT/2000/XP).

Please note that both the DOS scanner and the Command-line scanner are included in F-Prot Antivirus for Windows

DOS Scanner:


For Windows 95/98/ME:

To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE.

Windows ME users need to use a Windows startup disk.

In DOS mode at the command prompt type:

cd \        [ENTER]
cd progra~1        [ENTER]
cd fsi        [ENTER]
cd f-prot        [ENTER]
f-prot.exe        [ENTER]

We are assuming here that F-Prot Antivirus was installed in the default location. Set the scanner to "Automatic disinfection".



Command-line Scanner:


For Windows 2000/XP:

Click on START \ SHUT DOWN \ RESTART. As the computer is booting up press the F8 key and from the menu select:

"Safe mode with Command prompt"

At the command prompt type:

cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list        [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.



For Windows NT 4.0:

Restart the computer in SVGA mode (Safe Mode)

1. Click "Start" / "Run" / type "cmd"         [ENTER]

2. Command prompt window appears.

3. Press "Ctrl-Alt-Del" once and click on "Processes".

4. In "Processes" find "Explorer.exe" and select "End process". The Desktop will disappear and only the background/wallpaper and the command prompt window will be visible.

5. In the command prompt window type the following:



cd \       [ENTER]

cd "program files"       [ENTER]

cd fsi        [ENTER]

cd f-prot       [ENTER]

fpcmd c: /disinf /auto /list       [ENTER]

NB! Please note that the scanning must be done for each drive individually.

When the scanning is done and the system is clean, then restart the computer.




 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is