|
|
I-Worm.Sober. Viruses Information
| Name: |
I-Worm.Sober. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Sober.g
This worm spreads via email and file-sharing networks as an attachment to infected emails. It is written in Visual Basic and packed using UPX. The packed file is approximately 47KB in size, but may be slightly larger, as the worm may write random data to the end of the file.
Installation
The worm is activated when the file attached to the message is opened.
Once launched, the worm causes a fake error message to be displayed:
File not found
Special-UnZip Data-Module
is missing
Open with Notepad?
Yes No
If the user clicks Yes, the worm opens Notepad. The open Notepad window contains nonsense text. Mydoom used a similar diversionary trick.
The worm then creates a copy of itself in the Windows directory, saving it under a name chosen at random from the list below:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
This file is then registered in the system registry auto-run key:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]" [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]"
The worm also creates a number of copies of itself and additional files and saves these under the following names in the Windows directory.
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
xdatxzap.zxp
datsobex.wwr
winzweier.dats
wincheck32.dats
winexpoder.dats
NoSpam.readme
Propagation
The worm searches local disks for files with the following extensions
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml
harvests email addresses, and then sends infected messages to these addresses. The worm connects directly to the SMTP server to send messages.
The headers and text of infected messages are in German or English. The headers and text are chosen and combined randomly from several dozen texts.
The attachment will have a .pif or .zip extension, with a random name.
Other
The worm has the ability to download and launch files from the following sites:
home.arcor.de
people.freenet.de
home.pages.at
scifi.pages.at
free.pages.at |
Top Viruses Visited Pages:
Invader. - 233 visits
not-a-virus:RiskWare.Tool.RegPatch. - 71 visits
Worm.P2P.Harex. - 65 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 59 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 47 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
I-Worm.Soni
Macro.Word97.Nail.
Macro.Word97.Stor
Babilon.100
Trojan-Downloader.JS.Mine
Traven.51
DAME-based Viruse
Sauron.108
TPVO.334
DSU.141
|
|
