Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Sober.J Worm

NameW32/Sober.J Worm
AliasesWORM_SOBER.J, W32/Sober.J@mm, W32/Sober-J, W32/Reblin.A@mm
Discovered on 31st January, 2005

 Virus Information - W32/Sober.J Worm:

W32/Sober.J is an email worm. This worm is a variant of W32/Sober.A. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

I've got YOUR email on my account!!
Warum beantwortest Du meine E-Mails nicht?

The content of the mail will be any one of the following:

Hello,
First, Sorry for my very bad English!
Someone send your private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text is a name & adress. I think it's your name and adress.
The sender of this mails is in the text file, too.
In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol
OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip
bye

Kommen meine Mails nicht mehr bei dir an oder so???
Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!
Ich hoffe mal, das sie jetzt zu dir durch dringen wird.
In meinen anderen Mails habe ich einige Wichtige Dinge niedergeschrieben, hatte aber
keine Lust alles nochmal zu schreiben.
Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit Winzip kleiner gemacht.
Lesen und diesmal auch bescheid geben!!!!
tschau.....

The name of the infected attachment will be any one of the following:

text
email_text
mail_text-info.txt <space>

The extension of the infected attachment may be any one of the following:

.exe, .com, .bat, .scr, .pif, .zip

Upon execution, the worm copies itself as random file name, which is a combination of the following text with the extension .exe.

spool
sys
win
diag
dir
disc
expoler
host
log
run
service
smss32
32
crypt
data

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system;

.abc, .abd, .abx, .eml, .fdb, .frm, .msg, .nab, .nch, .uin, .vap, .adb, .ade, .adp, .hlp, .imb, .imh, .stm, .tbb, .txt, .vbs, .vcf, .adr, .asp, .bak, .imm, .inbox, .ini, .nfo, .nsf, .nws, .wab, .wsh, .bas, .cfg, .cgi, .jsp, .ldb, .ldif, .ods, .oft, .php, .xhtml, .cls, .cms, .csv, .log, .mbx, .mda, .pl, .pmr, .pp, .xls, .ctl, .dbx, .dhtm, .mdb, .mde, .mdw, .ppt, .pst, .rtf, .doc, .dsp, .dsw, .mdx, .mht, .mmf, .shtml, .slk, .sln, .xml.

The worm mails itself to these addresses using its own SMTP engine.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware