Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.I@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 18 Nov 2004 03:00:00
Description created 19 Nov 2004 12:33:00
Description updated 19 Nov 2004 12:33:00
Malware type WORM
Alias W32/Clonz.A; Trojan.Win32.VB.qa; W32/Sober.I.worm; Worm/Sober.I
Spreading mechanism EMAIL
Summary None

W32/Sober.I@mm

Spreading

When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows System directory; most notably two worm files - these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup. Other files created are:
clonzips.ssc
clsobern.isc
cvqaikxt.apk
dgssxy.yoi
nonzipsr.noz
Odin-Anon.Ger
sb2run.dii
sysmms32.lla
winexerun.dal
winmprot.dal
winroot64.dal
winsend32.dal
zippedsr.piz
These are used for preliminary storage of harvested email addresses and MIME-encoded copies of the worm.
Registry keys created by the worm:
The worm uses several different key names and filenames, but an installation can look like this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run service =\win32data.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrunexpolerx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run dirloghostx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run expoler32 =\win32data.exe

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10