FRISK Software International


Summary of W32/Sober.R@mm
Discovered: 6 Oct 2005
Definition files: 6 Oct 2005
Risk Level: Medium
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Sober.R is a mass mailing worm. When first run it creates the directory "ConnectionStatus" in the windows directory and copies itself there under the name "services.exe". Then it displays a bogus error message and restarts itself from the newly created copy of itself.


Technical Description
Creates the the directory "ConnectionStatus" in %WINDIR% and copies itself there as "services.exe". It also drops the files "netslot.nst" and "socket.dli" to the same directory.

"netslot.nst" is a base-64 encoded copy of the worm.

Adds the following values:

"WinINet"="%WINDIR%\ConnectionStatus\services.exe"
"_WinINet"="%WINDIR%\ConnectionStatus\services.exe"

To the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

respectively, so that the worm is executed every time Windows starts.

When first run the worm displays the this error messages:



After which it executes the file "%WINDIR%\ConnectionStatus\services.exe" and terminates.

Harvests e-mails from available hard drives from files with the following extensions:

pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

The worm sends itself as an attachment to e-mail with following characteristics:

E-mails subject is "Your new Password".

The body of the e-mail contains the following text:

Your password was successfully changed!
Please see the attached file for detailed information.

The attachment is a zip-compressed file named "pword_change.zip" the zip-file contains the worm under the filename "PW_Klass.Pic.packed-bitmap.exe".


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is