Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.N@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Terminates security processes
Detection files published 18 Apr 2005 03:00:00
Description created 19 Apr 2005 12:04:00
Description updated 19 Apr 2005 12:04:00
Malware type WORM
Alias W32/Sober-M
Spreading mechanism EMAIL
Summary None

W32/Sober.N@mm

Spreading

When the worm is first executed, it copies itself to a subfolder under the Windows folder, and starts to scan text files for email addresses. These addresses are then used as both sender and recipients for later infected mails. At the same time, the worm creates a text file containing garbage text and displays this using NOTEPAD.
Emalis sent will have German or English text depending on the recipient address.

File system changes:

Creates \config\system\zipped.wrm
Creates \config\system\maddys.xyz
Creates \config\system\services.exe
Creates mail.document.Datex-packed.txt in a TEMP folder
Creates \nonrunso.ber
Creates \langeinf.lin
Creates \adcmmmmq.hjg
Creates \xcvzpokd.tqa

Registry changes:

Creates key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _SystemCheck = \config\system\services.exe
Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run " SystemCheck" = \config\system\services.exe

Payload Details

If certain security applications such as Microsoft's Malicious Software Removal Tool  (MRT) is run, it will be terminated, and a fake "ok" dialog box will be displayed. This is possibly first time that this cleaning utility has been targetted.

(Image not available)

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15