BitDefender Antivirus
My BitDefender
Go

Win32.Sober.N@mm

( N/A )
Spreading: high
Damage: medium
Size: 73541 bytes (packed)
Discovered: 2005 Apr 19

SYMPTOMS:

Presence of files services.exe,zipped.wrm,maddys.xyz in %WINDOWS%\\Config\\system.

Presence of registry key:
HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run or RunOnce with the value
\"_SystemCheck\" = %WINDOWS%\\config\\system\\services.exe

TECHNICAL DESCRIPTION:

The worm comes by mail in German or English .
The mail address of the sender is spoofed.

The subject of the mail is either FwD: Ich bin\'s nochmal or I\'ve_got your EMail on my_account!.
The body is either :
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!
Ich melde mich.
Bis bald ;)
or:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It\'s probably an e-mail provider error!
]-f
At time, I\'ve got over 10 mails on my account, but the recipient are you.
I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don\'t come in my mail-box again.
bye

The attached file is called either Private-Texte.zip or your_text.zip, containing a file named
mail.document.Datex-packed.exe.


To gather email addresses it searches files with the following extensions:
pmr,phtm,stm,slk,inbox,imb,csv,bak,imh,xhtml,imm,imh,cms,nws,vcf,ctl,dhtm,cgi,pp,ppt,msg,
jsp,oft,vbs,uin,ldb,abc,pst,cfg,mdw,mbx,mdx,mda,adp,nab,fdb,vap,dsp,ade,sln,dsw,mde,frm,bas,
adr,cls,ini,ldif,log,mdb,xml,wsh,tbb,abx,abd,adb,pl,rtf,mmf,doc,ods,nch,xls,nsf,txt,wab,eml,hlp,mht,
nfo,php,asp,shtml,dbx.

The worm will not send any email to an address containing the following strings:
@www,@from.,smtp-,@smtp.,ftp.,.dial.,.ppp.,anyone,@gmetref,sql.,someone,nothing,you@,user@,
reciver@,somebody,secure,whatever@,whoever@,anywhere,yourname,mustermann@,
mailer-daemon,variabel,noreply,-dav,law2,.qmail@,freeav,@ca.,abuse,winrar,domain.,host.,viren,
bitdefender,spybot,detection,ewido.,emsisoft,linux,@foo.,winzip,@example.,bellcore.,@arin,
@iana,@avp,icrosoft.,@sophos,@panda,@kaspers,free-av,antivir,virus,verizon.,@ikarus.,@nai.,
@messagelab,nlpmail01.,clock

Removal instructions:

Manual removal:
Identify and kill the process ( if active ), then remove the registry keys and files from the system.


Automatic removal: let BitDefender disinfect infected files.

ANALYZED BY:

Alexandru Carp,
BitDefender Virus Researcher
Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner » Press Center
©   2012 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy