Your essential free software toolbox

SHARE
THIS ON

Win32.Sober.Y@mm

MEDIUM

LOW

140,210 bytes

()

Download removal tool

Symptoms

The presence of the following folder:

C:\%WINDIR%\ConnectionStatus\Microsoft\

The following files in the folder mentioned above:

services.exe (140,064 bytes)

The precense of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"[space]WinCheck"= %WINDIR%\ConnectionStatus\Microsoft\services.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"_WinCheck"= %WINDIR%\ConnectionStatus\Microsoft\services.exe"

Removal instructions:

Please let BitDefender disinfect your files.

Use the free removal tool to disinfect your computer (see the link at the top of this page). The tool detects and removes all variants of Sober worm between S and AD.

Analyzed By

Raul Tosa, virus researcher

Technical Description:

The worm comes as a ZIP archive in the infected email, containing an executable of 140064 bytes. Once executed, a fake error message is shown in order to make the user believe the file is damaged, and nothing happend with the executed file. The error message looks like this:

Actually, the worm starts its job by dropping a file named services.exe in %WINDIR%\ConnectionStatus\Microsoft folder. Another file located in the same directory will be used to collect email addresses found on the infected computer. The following file types are parsed in order to find email addresses:

pmr phtm stm slk inbox imb csv bak imh xhtml
imm imh cms nws vcf ctl dhtm cgi pp ppt msg
jsp oft vbs uin ldb abc pst cfg mdw mbx mdx
mda adp nab fdb vap dsp ade sln dsw mde frm
bas adr cls ini ldif log mdb xml wsh tbb abx
abd adb pl rtf mmf doc ods nch xls nsf txt
wab eml hlp mht nfo php asp shtml dbx

The worm uses the registry entries specified above in order to assure that it will be executed at every Windows startup.

Infected email details (one of the following):

SUBJECT:	Your eMail Password
BODY:	Thanks for your registration! Your registration will not be complete until you re-confirm it. Please read the following agreement. If you accept it, click the "accept" to complete your registration!
ATTACHMENT:	Accept_e-Text.zip

or:

SUBJECT:	Wichtig: Meine neue Mail Addresse!
BODY:	hi du,,, ike bin et Musste mir leider ne neue Mail-Addy machen. Meine alte wird nur noch zu gemuellt mit Spam. Habe dir auch gleich die Datei mitgeliefert die du immer haben wolltest. Ist aber ziemlich per.... Ok, man sieht sich
ATTACHMENT:	Mail-Datei.zip

The attachments contain an executable file named accept_emailTextData.exe, that looks like this:

It uses a predefined list of people names and mail account usernames to build spoofed email addresses that will be used as Sender in the infected emails.