Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Sober.L Worm

NameW32/Sober.L Worm
AliasesWORM_SOBER.L, W32/Sober-L
Discovered on 7th March, 2005

 Virus Information - W32/Sober.L Worm:

W32/Sober.L is a mass mailing worm. This is a variant of W32/Sober. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Ich habe Ihre E-Mail bekommen!
Your Password & Account number

The infected attachment will be any one of the following;

MailTexte.zip
acc_text.zip

The body of the infected mail will be any one of the following;

Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.

i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...

Upon execution of the infected attachment, the worm copies itself as

nonrunso.ber
read.me
stopruns.zhz
xcvfpokd.tqa

In the Windows system folder.

It also drops emdata.mmx, zipzip.zab file in the Windows msagent folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

abc, abd, abx, adb, ade, adp, adr, asp, bak, bas, cfg, cgi, cls, cms, csv, ctl, dbx, dhtm, doc, dsp, dsw, eml, fdb, frm, hlp, imb, imh, imm, inbox, ini, jsp, ldb, ldif, log, mbx, mda, mdb, mde, mdw, mdx, mht, mmf, msg, nab, nch, nfo, nsf, nws, ods, oft, php, phtm, pl, pmr, pp, ppt, pst, rtf, shtml, slk, sln, stm, tbb, txt, uin, vap, vbs, vcf, wab, wsh, xhtml, xls, xml.

The worm mails itself to these addresses using its own SMTP engine.

The worm also tries to terminate the processes containing the following strings.

hijackthis
gcas
gcip
stinger
giantanti

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware