Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » Sober.O@mm


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Terminates security applications
Detection files published 01 May 2005 03:00:00
Description created 02 May 2005 01:27:00
Description updated 02 May 2005 01:27:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When the worm is first executed, it copies itself to a subfolder under the Windows folder, and starts to scan text files for email addresses. These addresses are then used as both sender and recipients for later infected mails. At the same time, the worm shows an error message on the screen : "Error: CRC not complete"
Emalis sent will have German or English text depending on the recipient address.

File system changes:

Creates \Connection Wizard\Status\CSRSS.EXE
Creates \Connection Wizard\Status\SMSS.EXE
Creates \Connection Wizard\Status\SERVICES.EXE
Creates \Connection Wizard\Status\packed1.sbr
Creates \Connection Wizard\Status\packed2.sbr
Creates \Connection Wizard\Status\packed3.sbr
Creates \Connection Wizard\Status\voner1.von
Creates \Connection Wizard\Status\voner2.von
Creates \Connection Wizard\Status\voner3.von
Creates \Connection Wizard\Status\sacri1.ggg
Creates \Connection Wizard\Status\sacri2.ggg
Creates \Connection Wizard\Status\sacri3.ggg
Creates \Connection Wizard\Status\fastso.ber
Creates \nonrunso.ber
Creates \langeinf.lin
Creates \adcmmmmq.hjg
Creates \xcvzpokd.tqa
Creates \seppelmx.smx

Registry changes:

Creates key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _WinStart = \Connection Wizard\Status\services.exe
Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run " WinStart" = \Connection Wizard\Status\services.exe

Payload Details

Similar to previous variants, this Sober terminates various security applications, like f.ex. the Microsoft malicious software removal tool MRT.EXE.





Last Updated: 12 Nov 2015 11:06:15