W32/Sober.I Worm

 Virus Information - W32/Sober.I Worm:

W32/Sober.I is an email worm. This worm is a variant of W32/Sober. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Confirmation
Delivery_failure_notice
Details
Faulty_mail delivery
Mail Error
Mail delivery_failed
Mail_Delivery_failure
Oh God it's
Registration confirmation
Your Password
Your mail password
illegal signs in your mail
invalid mail
mail delivery system

The content of the mail will be any one of the following.

Your password was changed successfully!

I was surprised, too!
Who_could_suspect_something_like_that? shityiiiii
*-*-* Mail_Scanner: No Virus
*-*-* SKYNET- Anti_Virus Service
*-*-* http://www.skynet.be

++++++ User-Service: http://www.<domain-name>
++++++ MailTo: postmaster <domain-name>

Protected message is attached!

The worm carries an infected attachment with a random filename followed by single or double extension. The second extension can be any one of these:

pif
bat
scr
com
exe

Upon execution of the infected attachment, it displays the following fake error message:

WinZip_Data_Module is missing ~Error: {2A0DCCF6}

After this it copies two .exe files in the Windows System folder. The file name of the dropped files can be combination of the following strings:

win
sys
spool
smss32
service
run
pt
log
host
disc
dir
diag
data
cry
32

The worm also drops the following files in the Windows System folder.

clonzips.ssc
clsobern.isc
nonzipsr.noz
zippedsr.piz

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm scans the infected system to collect the available email addresses and saves in the following files:

winexerun.dal
winsend32.dal
winroot64.dal
winmprot.dal

After this the worm mails itself to these addresses using its own SMTP engine.