Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.D@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published
Description created 08 Mar 2004 04:22:00
Description updated 08 Mar 2004 06:22:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Sober.D@mm

Spreading

When the worm is executed it will display the following message:

(Image not available)

If executed when the computer is already infected, the following message will be displayed:

(Image not available)

The worm will then make a copy of itself in the System directory with a semi-random name.
It will add two entrys to the Registry so that it is loaded from startup.

Registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   [random][random] = C:\WINNT\System32\[random]
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   [random] = C:\WINNT\System32\[random] %1
The file/key names are generated based on the strings in [WL1]
The worm will allso generate several 0-byte files in the System directory and an encrypted file with the name temp32x.data
The worm spreads over email using email addresses picked from several sources on the infected computer - including mails, contact lists and files with the extensions in [WL2]
Email addresses are stored in the file %System%\mslog32.dll
Mails sendt by this worm may be generated in either German or English depending on the nationality of the recipient address.
From: address is: [WL3]@microsoft.com
and the To: address is gathered from the infected computer.
English email: Subject: Microsoft Alert: Please Read!

Body:
New MyDoom Virus Variant Detected!

A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.

Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.


+++ ®2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052 98052
+++ Restricted Rights at 48 CFR 52.227-19
German email: Subject:  Microsoft Alarm: Bitte Lesen!

Body:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.

Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorgõnger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.

Zudem installiert er auf infizierten Systemen einen gefõhrlichen Trojaner!

Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schõdling zu schzen!


+++ ®2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943
The attachment may be an EXE file or an EXE within a ZIP file. The filename is constructed with strings from [WL4] and will use the following icon:

(Image not available)

The worm avoids sending itselves to addresses containing the strings in [WL5]
[WordList1] sys
host
dir
explorer
win
run
log32
disc
crypt
data
diag
spool
service
smss32
[WordList2] ini
log
mdb
tbb
abd
adb
pl
rtf
doc
xls
txt
wab
eml
php
asp
shtml
dbx
[WordList3] Info
Center
UpDate
News
Help
Studio
Alert
Patch
Security
[WordList4] Patch
MS-Security
MS-UD
UpDate
sys-patch
[WordList5] abuse
winrar
domain.
host.
ciren
bitdefender
spybot
hotmail
detection
ewido.
emisoft
linux
google
@foo.
winzip
@arin
mozilla
@iana
@avp
@msn.
microsoft
@sophos
@panda
symant
ntp-
ntp@
@ntp.
@kaspers
free-av
antivir
virus
verizon
@ikarus
@nai
@messagelab
clock
info@
t-online

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14