W32/Sober.C

 Virus Information - W32/Sober.C:

W32/Sober.C is a mass mailing worm. It is a variant of W32/Sober.A. This worm will infect Windows systems. This worm spreads through email.

The worm arrives with a random subject within its list in English or German languages.

The infected attachment will be any one of the following;

www.tagespolitik-umfragen.com
www.onlinegamerspro-worm.com
www.freewantiv.com
www.free4manga.com
www.free4share4you.com
www.anime4allfree.com
www.animepage43252.com
www.freegames4you-gzone.com
www.boards4all-terror432.com
www.iq4you-german-test.com
yourmail
alledigis
aktenz

The body of the infected mail will be randomly composed in either English or German languages.

Upon execution of the infected attachment, it displays a dialog box with a fake runtime error message containing "<worm_file_name> has caused an unknown error". After this, the worm creates similar copies of itself with a random file name and extensions in the Windows\System folder. The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm scans the infected system for the following extensions to collect the available email addresses.

.xls, .wab, .vap, .txt, .sln, .shtml, .shtm, .rtf, .pst, .php, .nsf, .nfo, .nab, .mht, .mdw, .mde, .mdb, .mda, .ldif, .ldb, .ini, .htt, .html, .htm, .hlp, .fdb, .eml, .dsw, .dsp, .doc, .dbx, .cfg, .asp, .adp, .ade, .abc,

The worm stores all the collected email addresses in a file called savesyss.dll, under the Windows\System folder. After this the worm mails itself to these email addresses using its own SMTP engine.