Content
W32/Sober.t@MM
- Type
- Virus
- SubType
- Discovery Date
- 11/14/2005
- Length
- Varies
- Minimum DAT
- 4627 (11/14/2005)
- Updated DAT
- 4633 (11/21/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 11/14/2005
- Description Modified
- 11/15/2005 10:37 AM (PT)
Tab Navigation
Characteristics
-- Update November 15, 2005 --
Many Sober droppers have been discovered over the past 36 hours. These are mass-spammed executables. While some are detected with the specified DAT files, others may require newer DAT files. The majority of dropped files are proactively detected as W32/Sober.gen
--
This virus may arrive in an email message with the following characterisics:
Subject:
Registration Confirmation |
Subject:
Haben Sie diese EMail verschickt? |
Symptoms
When the executable inside the archive is run, the following files are created:
- Path: %Windir%\ConnectionStatus\Microsoft\
- concon.www (Harvested E-mail addresses)
- services.exe (W32/Sober.t@MM)
- Path: %Windir%\System32\
- bbvmwxf.hml (empty file)
- gdfjgthv.cvq (empty file)
- runstop.rst (empty file)
- rubezahl.rub (empty file)
- nonrunso.ber (empty file)
- langeinf.lin (empty file)
The empty files are used by this and other Sober variants to detect co-existence. This variant terminates itself upon detection of a "%Windir%\System32\filesms.fms" file.
Presence of the following Windows Registry keys to automatically run the main worm component at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\[space]WinCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\_WinCheck
Method of Infection
This variant sends e-mails in English or German depending on the recipient's e-mail address. If the recipient's domain consists of one of the following strings, the malicious e-mail is crafted in German:
- ".gmx"
- ends with "de"
- ends with "ch"
- ends with "at"
- ends with "li"
This virus propagates via email. It sends a copy of itself to e-mail addresses harvested from files containing the following file extensions:
| abc | abd | abx | adb |
| ade | adp | adr | asp |
| bak | bas | cfg | cgi |
| cls | cms | csv | ctl |
| dbx | dhtm | doc | dsp |
| dsw | eml | fdb | frm |
| hlp | imb | imh | imh |
| imm | inbox | ini | jsp |
| ldb | ldif | log | mbx |
| mda | mdb | mde | mdw |
| mdx | mht | ml | mmf |
| msg | nab | nch | nfo |
| nsf | nws | ods | oft |
| php | phtm | pl | pmr |
| pp | ppt | pst | rtf |
| sht | slk | sln | stm |
| tbb | txt | uin | vap |
| vbs | vcf | wab | wsh |
| xhtml | xls | xml |
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- CME-157
Characteristics
Characteristics -
-- Update November 15, 2005 --
Many Sober droppers have been discovered over the past 36 hours. These are mass-spammed executables. While some are detected with the specified DAT files, others may require newer DAT files. The majority of dropped files are proactively detected as W32/Sober.gen
--
This virus may arrive in an email message with the following characterisics:
Subject:
Registration Confirmation |
Subject:
Haben Sie diese EMail verschickt? |
Symptoms
Symptoms -
When the executable inside the archive is run, the following files are created:
- Path: %Windir%\ConnectionStatus\Microsoft\
- concon.www (Harvested E-mail addresses)
- services.exe (W32/Sober.t@MM)
- Path: %Windir%\System32\
- bbvmwxf.hml (empty file)
- gdfjgthv.cvq (empty file)
- runstop.rst (empty file)
- rubezahl.rub (empty file)
- nonrunso.ber (empty file)
- langeinf.lin (empty file)
The empty files are used by this and other Sober variants to detect co-existence. This variant terminates itself upon detection of a "%Windir%\System32\filesms.fms" file.
Presence of the following Windows Registry keys to automatically run the main worm component at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\[space]WinCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\_WinCheck
Method of Infection
Method of Infection -
This variant sends e-mails in English or German depending on the recipient's e-mail address. If the recipient's domain consists of one of the following strings, the malicious e-mail is crafted in German:
- ".gmx"
- ends with "de"
- ends with "ch"
- ends with "at"
- ends with "li"
This virus propagates via email. It sends a copy of itself to e-mail addresses harvested from files containing the following file extensions:
| abc | abd | abx | adb |
| ade | adp | adr | asp |
| bak | bas | cfg | cgi |
| cls | cms | csv | ctl |
| dbx | dhtm | doc | dsp |
| dsw | eml | fdb | frm |
| hlp | imb | imh | imh |
| imm | inbox | ini | jsp |
| ldb | ldif | log | mbx |
| mda | mdb | mde | mdw |
| mdx | mht | ml | mmf |
| msg | nab | nch | nfo |
| nsf | nws | ods | oft |
| php | phtm | pl | pmr |
| pp | ppt | pst | rtf |
| sht | slk | sln | stm |
| tbb | txt | uin | vap |
| vbs | vcf | wab | wsh |
| xhtml | xls | xml |
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
