W32/Sober.O Worm

 Virus Information - W32/Sober.O Worm:

W32/Sober.O is an email worm. This worm is a variant of W32/Sober. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be either in English or German language.

The subject of the mail in English will be any one of the following;

Re:Your Password
Re: [blank]
Re:Your email was blocked
Re:mailing error
Re:Registration Confirmation

The subject of the mail in German will be any one of the following;

Glueckwunsch: Ihr WM Ticket
Mail-Fehler!
Ihr Passwort
Ich bin's, was zum lachen ;)
WM Ticket Verlosung
WM-Ticket-Auslosung
Ihre E-Mail wurde verweigert

The infected attachment will be any one of the following;

our_secret.zip
mail_info.zip
error-mail_info.zip
account_info.zip
account_info-text.zip
_PassWort-Info.zip
autoemail-text.zip
Fifa_Info-Text.zip
okTicket-info.zip
LOL.zip

The body of the infected mail will be either in English or German language.

The body of the mail in English will be any one of the following;

ok ok ok,,,,, here is it

Account and Password Information are attached!
Visit: (Random URL)

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

Adds one of the following texts randomly to the above-mentioned strings.

AntiVirus: No Virus found
Attachment-Scanner: Status OK
Server-AntiVirus: No Virus (Clean)
(Random URL)

The body of the mail in German will be any one of the following;

Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http:/ /www.[Random URL]
Folgende Fehler sind aufgetreten:
Fehler konnte nicht Explicit ermittelt werden
Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.
Wir bitten Sie, dieses zu beruecksichtigen.
Auto ReMailer#

Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
(Random URL)
*-* MailTo: PasswordHelp

Nun sieh dir das mal an
Was ein Ferkel ....

Herzlichen Glueckwunsch,
beim Run auf die begehrten Tickets fr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie
dabei.Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

St. Rainer Gellhaus
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

Adds one of the following texts randomly to the above-mentioned strings.

AntiVirus: Kein Virus gefunden
Mail-Scanner: Es wurde kein Virus festgestellt
AntiVirus-System: Kein Virus erkannt
WebSite: (Random URL)

Upon execution of the infected attachment, the worm copies itself as CSRSS.EXE, SERVICES.EXE and SMSS.EXE in the Windows folder.

It drops the following files in the Windows System folder:

adcmmmmq.hjg
langeinf.lin
nonrunso.ber
seppelmx.smx
xcvfpokd.tqa

It also drops the following files in the Windows folder:

sacri1.ggg
packed1.sbr
packed2.sbr
packed3.sbr

It modifies the Windows registry at the following locations to load itself during next startup;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans for the following extensions and collects all the available email addresses from the infected system.

abc, abd, abx, adb, ade, adp, adr, asp, bak, bas, cfg, cgi, cls, cms, csv, ctl, dbx, dhtm, doc, dsp, dsw, eml, fdb, frm, hlp, imb, imh, imh, imm, ini, jsp, ldb, ldif, log, mbx, mda, mdb, mde, mdw, mdx, mht, mmf, msg, nab, nch, nfo, nsf, nws, ods, oft, php, phtm, pl, pmr, pp, ppt, pst, rtf, shtml, slk, sln, stm, tbb, txt, uin, vap, vbs, vcf, wab, wsh, xls, xml.

The worm mails itself to these addresses using its own SMTP engine.