W32/Sober.E

 Virus Information - W32/Sober.E:

W32/Sober.E is a mass mailing worm. It is a variant of W32/Sober.A. This worm will infect Windows systems. The worm spreads through email.

The subject of the infected email will be any one of the following;

OK ok OK
OK OK
OK :-)
Hi :-)
hi
hey?
Hey!
HEY

The body of the email contains any one of the following;

;-)
THX
Thx!
thx
yo!
HA
ha!
lol
LoL
LOL

The infected email has an attachment with any one of the following names;

Word
Text
Read
Graphic-doc
Document

The file extension of the infected attachment will be .zip or .pif.

Upon execution of the infected attachment, it displays a dialog box with a fake runtime error message containing "Graphic Modul not found". After this, the worm creates similar copy of itself with a random file name with .exe extension in the Windows System folder. It also drops following files in Windows System folder;

msword.wrd
winrun32.dll
bcegfds.lll
mshelp32.dat
zmndpgwf.kxx

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

The worm scans the infected system for the following extensions to collect the available email addresses.

.xls, .wab, .txt, .ttt, .tbb, .shtml, .rtf, .pl, .php, mdb, .log, .ini, .eml, .doc, .dbx, .asp, .adb, .abx, .abd.

After this the worm mails itself to these email addresses using its own SMTP engine.