My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sober.B@mm

LOW
MEDIUM
~54 KB (~ 183 KB when unpacked)

Symptoms

- a registry entry in HKLM- or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pointing to a ~54-KB file in the Windows System folder.
- files mscolmon.ocx and Humgly.lkur in the Windows System folder.

Removal instructions:

Manual Removal:

Manual Removal is difficult because there may be two or three copies of the virus running and respawning each other. You might want to try to kill the instances of the virus (using Task Manager) and then delete the files and registry entries described above.

Automatic Removal:

Let BitDefender delete infected files.

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

This virus was written in Visual Basic and packed with UPX; many of the strings in its body are encrypted.

It arrives attached to an email; the format of the email may vary; here are some possibilities:

(German version):

Subject:
Hihi, ich war auf deinem Computer
Du bist Ge-Hackt worden
Ich habe Sie Ge-hackt
Der Kannibale von Rotenburg

Attachment:
Daten-Text.pif
DateiList.pif
Server.com

(English version):

Subject:
George W. Bush plans new wars
George W. Bush wants a new war
You Got Hacked
Have you been hacked?

Attachment:
www.gwbush-new-wars.com
www.hcket-user-pcs.com
yourlist.pif
allfiles.cmd

When run, it will sometimes display the following message:



It will create one or more copies of itself in the Windows System folder (using one of multiple possible names) and a registry entry (as described in Symptoms) that will run the virus at start-up.

The virus may run multiple copies of itself that monitor each other and respawn an instance of the virus that is terminated by the user; the virus also monitors if the registry entry is deleted, and re-creates it if so.

Sometimes, if the user tries to terminate one of the instances of the virus, it will create many copies of itself with random 8-digit names and .exe extensions in the Windows System folder, and run them (each one for just a short time before running the next one).

The virus looks for email addresses in files with one of the following extensions: htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo.

It sends messages in the format described above, using its own SMTP client functions. Email addresses are put down in mscolmon.ocx in the Windows System folder.

It overwrites the start of files shared with Kazaa (and maybe other file-sharing applications too) with its body, and it may propagate using these networks.