McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Sober.g (AVP)

• W32/Sober.G.worm (Panda)

• WORM_SOBER.G (Trend)

Characteristics

Proactive Detection
This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).

In common with its predecessors, this variant bears the following characteristics:

• it is written in MSVB
• it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.
• messages may be constructed in both German and English languages (selected according to the target email address)
• certain target email addresses are specifically excluded

Symptoms

Existence of the following files on the victim machine:

• %SysDir%\bcegfds.lll (0 bytes)
• %SysDir%\cvqaikxt.apk (0 bytes)
• %SysDir%\datsobex.wwr (0 bytes)
• %SysDir%\wincheck32.dats (size varies) - harvested email addresses
• %SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.
• %SysDir%\winzweier.dats (size varies) - harvested email addresses
• %SysDir%\xdatxzap.zxp (0 bytes)
• %SysDir%\zhcarxxi.vvx (0 bytes)

The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:

• sys
• host
• dir
• explorer
• win
• run
• log
• 32
• disc
• crypt
• data
• diag
• spool
• service
• smss32

Method of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Sober.g (AVP)

• W32/Sober.G.worm (Panda)

• WORM_SOBER.G (Trend)

Characteristics

Characteristics -

Proactive Detection
This variant is proactively detected as W32/Sober.gen@MM since the 4349 DATs, with the 4.3.20 engine (with scanning of compressed files enabled - default setting).

In common with its predecessors, this variant bears the following characteristics:

• it is written in MSVB
• it propagates via email, harvesting target email addresses from the victim machine, and constructing messages using its own SMTP engine.
• messages may be constructed in both German and English languages (selected according to the target email address)
• certain target email addresses are specifically excluded

Symptoms

Symptoms -

Existence of the following files on the victim machine:

• %SysDir%\bcegfds.lll (0 bytes)
• %SysDir%\cvqaikxt.apk (0 bytes)
• %SysDir%\datsobex.wwr (0 bytes)
• %SysDir%\wincheck32.dats (size varies) - harvested email addresses
• %SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.
• %SysDir%\winzweier.dats (size varies) - harvested email addresses
• %SysDir%\xdatxzap.zxp (0 bytes)
• %SysDir%\zhcarxxi.vvx (0 bytes)

The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:

• sys
• host
• dir
• explorer
• win
• run
• log
• 32
• disc
• crypt
• data
• diag
• spool
• service
• smss32

Method of Infection

Method of Infection -

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A