Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.A@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 26 Oct 2003 03:00:00
Description created 26 Oct 2003 11:26:00
Description updated 27 Oct 2003 12:08:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Sober.A@mm

Spreading

When this worm is first executed, it will display a messagebox with an error message, f.ex. "File not complete!". After this it will install itself with three files in the Windows System directory; two of which will have semi-random names. The third is called SIMILARE.EXE.

The worm installs itself in the registry under the keys HKCU\Software\Microsoft\Windows\CurrentVersion\Run
and
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Exact values entered may vary.

The worm now harvests email addresses from files on the infected machine.

Files of the followoing types are searched:

htt,rtf,doc,xls,ini,mdb,txt,htm,html,wab,pst,fdb,
cfg,ldb,eml,abc,ldif,nab,adp,mdw,mda,mde,ade,sln,
dsw,dsp,vap,php,asp,shtml,shtm,dbx,hlp,mht,nfo

The subjects, file names and body texts vary according to intername lists. Depending on location, the worm will use English or German text.

Example subject lines:


Neuer Virus im Umlauf!
Back At The Funny Farm
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!

Payload Details

n/a

Analysis

n/a

Removal

When running, the worm has three separate processes in memory which protect each other. Thus it can be difficult to remove manually.


Last Updated: 12 Nov 2015 11:06:14