W32/Sober.A

SpamChoke Antispam
Software

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Sober.G Worm

Information about the W32/Sober.G Worm:

W32/Sober.G is a mass mailing worm. This worm will infect Windows systems. This worm spreads through email.

The subject of the infected mail will be any one of the following;

#
damn!
Details
Warning!
hey dude!
hi there
wazzup!!!
Confirmation
Oh God i'ts
DBase Error
yeah dude :P
Mailing Error
Your Password
Your mail account
why do you do that?
Invalid mail length
Faulty mail delivery
Illegal signs in E-Mail
Mail Delivery failure
Mail delivery failed
ups, i've got your mail
Sorry, that's your mail
mail delivery status
Delivery failure notice
Registration confirmation

The body of the infected mail contains any one of the following;

:Hey alles klar? Hier sind die Tools die du haben wolltest!
Viel Spaß damit ;)
Cu!
+-+-+ Anti-Virus Service: Es konnte kein Virus erkannt werden
+-+-+ IMMOBILIENSCOUT24- AntiVirus Service
+-+-+ http://www.immobi<blocked>cout24.de

Diese E-Mail wurde automatisch erzeugt. Weitere Informationen erhalten Sie unter http://www.<blocked>.es Folgende Fehler sind aufgetreten:
102.66.216.136_does_not_like_sender.
# 177: MAILBOX NOT FOUND
# 169: This_account_has_been_discontinued_[#184].
# 455: Giving_up_on_102.66.216.136.
# 513: mailbox_unavailable
Ende der Mitteilung
Das diese E-Mail automatisch generiert wurde, darf aus Datenschutzrechtlichen Gründen die vollständige E-Mail nur angehängt werden. Wir bitten dies zu berücksichtigen.
Auto-ReMail.System#: [<blocked>]
+-+-+ X-Attachment_Scanner: NO VIRUS
+-+-+ HOAX-INFO- AntiVirus Service
+-+-+ http://www.ho<blocked>-info.de

Diese Information ist Passwort geschützt. Da Sie uns Ihre Persönlichen Daten mitgeteilt haben, ist das Passwort Ihr Geburts-Datum!
Viel Spass mit unserem Angebot
---
Im I-Net unter: http://www.<blocked>.de

:Hey alles klar? Hier sind die Tools die du haben wolltest!
Viel Spaß damit ;)
Cu!

The infected attachment has a name which is randomly composed either in English or German languages;

The name of the infected attachment will be any one of the following;

EM.
mail
oh_no
photo
idiot
stuff
shock
ohyeah
private
your_docs
thatshard
article
more_infos
ReMailer
check_this
p_message
yourmail
painfulness

The file extension of the infected attachment will be any one of the following;

.scr
.com
.bat
.pif
.zip

Upon execution of the infected attachment, it displays a dialog box with a message, "File not found". After this, the worm copies itself with a random file name in the Windows System folder. It also drops following files in Windows System folder;

zhcarxxi.vvx
bcegfds.lll
cvqaikxt.apk
xdatxzap.zxp
winexpoder.dats
wincheck32.dats
winzweier.dats
datsobex.wwr

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

The worm scans the infected system for the following extensions to collect the available email addresses.

.vcf
.vbs
.vap
.uin
.txt
.asp
.adr
.adp
.ade
.adb
.abx
.abd
.abc
.log
.ldif
.ldb
.jsp
.ini
.inbox
.imm
.imh
.imb
.hlp
.frm
.fdb
.eml
.dsw
.dsp
.doc
.xml
.xls
.xhtml
.wsh
.wab
.tbb
.stm
.sln
.slk
.shtml
.rtf
.pst
.ppt
.pp
.pmr
.pl
.php
.oft
.ods
.nws
.nsf
.nfo
.nch
.nab
.msg
.mmf
.mht
.mbx
.dhtm
.db
.ctl
.csv
.cms
.cls
.cgi
.cfg
.bas
.bak
.mdx
.mdw
.mde
.mdb
.mda

After this the worm mails itself to these addresses using its own SMTP engine.

This worm first appeared on 15 May, 2004.

Other names of W32/Sober.G Worm:

This worm is also known as W32/Sober.g@MM, Win32.Sober.G, W32/Sober-G, Sober.G, I-Worm.Sober.G.

Click here to download a 30 day Evaluation Copy of
Protector Plus for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Sober.G worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software