My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sober.T@mm

MEDIUM
VERY LOW
122751

Symptoms

Presence of a subdirectory called "ConnectionStatus" in the Windows directory.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Alexandru Pojoga, virus researcher

Technical Description:

This is a mass-mailing worm that poses as an image file. The icon is designed to mimic a JPEG file, giving the user the illusion of dealing with a harmless picture.

Since most users have Windows configured to hide file extensions, the file will appear as a JPEG icon with an innocuous caption:

pseudo

The worm is written in Visual Basic 6.0 and is packed with FSG.

When the user double-clicks the file (which usually comes as an email attachment), the program displays a bogus error message and apparently terminates:

bogus error message

In the background, the worm creates the directory C:\\Windows\\ConnectionStatus and drops a working copy there, under the name "services.exe".

A Registry entry is created to make sure the worm is always loaded:

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WinINet = C:\\Windows\\ConnectionStatus\\services.exe

(Note: on some configurations, the Windows directory will be C:\\WINNT instead of C:\\Windows.)

The virus checks if Microsoft's malicious software removal tool is running, and terminates it.

To locate email addresses for further spreading, it searches through files with the following extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

Using a built-in SMTP engine, it sends emails with the following subject and contents:

Your new Password
OR
Your password was successfully changed!
OR
Please see the attached file for detailed information.
OR
Fwd: Klassentreffen

ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehangt
wenn du dich dort wiedererkennst, dann schreibe unbedingt zur
wenn ich aber wieder mal die falsche person erwischt habe, dann sorry fur die belastigung

(Roughly: "please see attached file for classmate pictures".)