W32/Sober.F

 Virus Information - W32/Sober.F:

W32/Sober.F is a mass mailing worm. It is a variant of W32/Sober.E. This worm will infect Windows systems and spreads through email.

The subject of the infected email will be any one of the following either in English or German;

Connectio failed
Invalid mail sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Details
Oh my God
Hey
admin
Error_Info
RobotMailer
AutoMailer
Administrator
Info
User-info
account
Webmaster
Home
Register
Service
Illegal signs in Mail-Routing
Hi!
Hi, it's me
hey you
damn
Well, surprise?!
Info Information
Liste
Schwarze-Liste
Service
Info
Passwort
Kundenservice
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
Webmaster
Fehler-Info
Administrator
RobotMailer
AutoMailer
Register
Information
Hi, Ich bin's
Ich bin es .-)
Verdammt berrascht?!

Details entnehmen Sie bitte dem Attachment
Nhere Informationen befinden sich im Anhang.
*** Auto Mail Delivery System ***
Ihre E-Mail konnte nicht gesendet oder empfangen werden.
Bitte berpr fen Sie nochmals diese E-Mail auf mgliche Fehlerquellen.
attach: AMD-System.txt
* End Transmission
Virenschutz
--- Web: http:/ /www.<randomly choosen domain>
--- Mail To: User-Hilfe

Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of <randomy choose
n domain>
+++ http:/ /www.<randomly choosen domain>
+++ Mail: home

The message has been attached.

Database #Error
-- Partial message is available!
-- Error: llegal signs in Mail-Routing
-- Mail Server: ESMTP VX32.9 Version Betha Alpha
Anybody use your accounts!
For further details see the attachment.

I have received your document. The corrected document is attached.
greets

Internet Provider Abuse:
Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
Bitte beachten Sie folgende Liste:

Ich war auch ein wenig
berrascht!
Wer konnte so etwas ahnen!? Lese selbst
Oh-Mann

Alles klaro bei dir?
Schau mal was Ich gefunden habe!

Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
Bye
Ich
habs dir doch gesagt, irgendwann schaffe ich es deine Passwrter rauszubekommen!!!
Passwoerter.txt

hi its me
i've found a shity virus on my pc. check your pc, too!
follow the steps in this article.
bye
I 've told you!:-) sometime I grab your passwords!
I hope you accept the result!
Follow the instructions to read the message.
Please read the document

Registration confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http:/ /www.<randomly choosen domain>
++++ Mail To: User-info
I was surprised, too! : -( Who could suspect something like that?

All OK :)
see, what i've found!

Passwort und Benutzername wurde erfolgreich gendert
Ihre Benutzernamen und Passwrter befinden sich im Anhang dieser E-Mail
++++ Im www erreichbar unter: http:/ /www.<randomly choosen domain>
++++ E-Mail: KundenInfo
Wegen eines Datenbank-
Fehlers knnte es mglicherweise zu einem Verlust Ihrer persnlichen Daten wie Kennwrter gekommen sein.
Wenn Sie Unregelmigkeiten festgestellt haben, melden Sie uns bitte umgehend den Datenverlust.
Vielen Dank fr Ihr Verstndnis
+++ Ein Service von
+++ http:/ /www.<randomly choosen domain>
+++ E-Mail: Kundenservice

*** Auto Mail Delivery System ***
67.28.114.32_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:
_dd_Sorry_your_message_cannot_be_delivered._This_account_has_been_disabled_
or_discontinued_[#102]._-_mta134.mail.dcn.com *** this line has been modified by Symantec for the purpose of formatting ***
** End of Transmission
The original message is a separate attachment.
--- Web: http:/ /www.<randomly choosen domain>
--- Mail To: User-Hilfe

The infected email has an attachment with any one of the following names;

Money-Help
partial
pass-message
pmessage-text
RobotMailer
AntiVirus-Text
attach-message
AutoMailer
Error_Info
error
error-message
Fehler-Info
instructions
kurztext
message
Schwarze-Liste
textdocument
Text-Inhalt
Administrator
AMD-System.txt
anitv_text
help
User-info
webmaster
your_article
your_passwords
corrected_text-file
database_partial
database
Datenbank_Auszug
dokument
Benutzer-Daten
block-lists
check_this

The file extension of the infected attachment will be .zip or .pif.

Upon execution of the infected attachment, the worm copies itself in the Windows System folder as a random file name with the combination of the following names with a .exe extension;

dir, diag, data, win, sys, spool, smss32, service, explorer, disc, crypt, 32, run, log, host

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

To propagate itself, the worm scans the infected system for the following extensions to collect the available email addresses;

.dsp, .ade, .sln, .tbb, .abx, .abd, .adb, .pl, .rtf, .mmf, .doc, .ods, .nch, .xls, .nsf, .txt, .wab, .eml, .hlp, .mht, .nfo, .php, .asp, .shtml, .dbx, .dsw, .mde, .frm, .bas, .adr, .ctl, .dhtm, .cgi, .pp, .ppt, .msg, .jsp, .oft, .vbs, .uin, .ldb, .abc, .pst, .cfg, .mdw, .mbx, .mdx, .mda, .adp, .nab, .fdb, .vap, .cls, .ini, .ldif, .log, .mdb, .xml, .wsh

The collected email addresses is stored in Windows System folder as syst32win.dll. After this the worm mails itself to these email addresses using its own SMTP engine.

The worm does not mail itself to email addresses containing the following strings as a part of email address:

@panda
@ntp.
@nai.
@foo.
linux
host.
google
freeav
free-av
ewido.
emsisoft
domain.
winzip
@msn
@messagelab
@kaspers
@ikarus.
@iana
winrar
virus
viren
verizon.
variabel
time
symant
support
service
redaktion
postmas
password
office
abuse
@sophos
@ca.
@avp
@arin
ntp@
ntp-
mozilla
microsoft.
mailer-daemon
clock
antivr