W32/Sober.A

 Virus Information - W32/Sober.A:

W32/Sober.G is a mass mailing worm. This worm will infect Windows systems. This worm spreads through email.

The subject of the infected mail will be any one of the following;

#
damn!
Details
Warning!
hey dude!
hi there
wazzup!!!
Confirmation
Oh God i'ts
DBase Error
yeah dude :P
Mailing Error
Your Password
Your mail account
why do you do that?
Invalid mail length
Faulty mail delivery
Illegal signs in E-Mail
Mail Delivery failure
Mail delivery failed
ups, i've got your mail
Sorry, that's your mail
mail delivery status
Delivery failure notice
Registration confirmation

The body of the infected mail contains any one of the following;

:Hey alles klar? Hier sind die Tools die du haben wolltest!
Viel Spaß damit ;)
Cu!
+-+-+ Anti-Virus Service: Es konnte kein Virus erkannt werden
+-+-+ IMMOBILIENSCOUT24- AntiVirus Service
+-+-+ http://www.immobi<blocked>cout24.de

Diese E-Mail wurde automatisch erzeugt. Weitere Informationen erhalten Sie unter http://www.<blocked>.es Folgende Fehler sind aufgetreten:
102.66.216.136_does_not_like_sender.
# 177: MAILBOX NOT FOUND
# 169: This_account_has_been_discontinued_[#184].
# 455: Giving_up_on_102.66.216.136.
# 513: mailbox_unavailable
Ende der Mitteilung
Das diese E-Mail automatisch generiert wurde, darf aus Datenschutzrechtlichen Gründen die vollständige E-Mail nur angehängt werden. Wir bitten dies zu berücksichtigen.
Auto-ReMail.System#: [<blocked>]
+-+-+ X-Attachment_Scanner: NO VIRUS
+-+-+ HOAX-INFO- AntiVirus Service
+-+-+ http://www.ho<blocked>-info.de

Diese Information ist Passwort geschützt. Da Sie uns Ihre Persönlichen Daten mitgeteilt haben, ist das Passwort Ihr Geburts-Datum!
Viel Spass mit unserem Angebot
---
Im I-Net unter: http://www.<blocked>.de

:Hey alles klar? Hier sind die Tools die du haben wolltest!
Viel Spaß damit ;)
Cu!

The infected attachment has a name which is randomly composed either in English or German languages;

The name of the infected attachment will be any one of the following;

EM.
mail
oh_no
photo
idiot
stuff
shock
ohyeah
private
your_docs
thatshard
article
more_infos
ReMailer
check_this
p_message
yourmail
painfulness

The file extension of the infected attachment will be any one of the following;

.scr
.com
.bat
.pif
.zip

Upon execution of the infected attachment, it displays a dialog box with a message, "File not found". After this, the worm copies itself with a random file name in the Windows System folder. It also drops following files in Windows System folder;

zhcarxxi.vvx
bcegfds.lll
cvqaikxt.apk
xdatxzap.zxp
winexpoder.dats
wincheck32.dats
winzweier.dats
datsobex.wwr

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

The worm scans the infected system for the following extensions to collect the available email addresses.

.vcf
.vbs
.vap
.uin
.txt
.asp
.adr
.adp
.ade
.adb
.abx
.abd
.abc
.log
.ldif
.ldb
.jsp
.ini
.inbox
.imm
.imh
.imb
.hlp
.frm
.fdb
.eml
.dsw
.dsp
.doc
.xml
.xls
.xhtml
.wsh
.wab
.tbb
.stm
.sln
.slk
.shtml
.rtf
.pst
.ppt
.pp
.pmr
.pl
.php
.oft
.ods
.nws
.nsf
.nfo
.nch
.nab
.msg
.mmf
.mht
.mbx
.dhtm
.db
.ctl
.csv
.cms
.cls
.cgi
.cfg
.bas
.bak
.mdx
.mdw
.mde
.mdb
.mda

After this the worm mails itself to these addresses using its own SMTP engine.