Win32.Sober.B@mm
SYMPTOMS: - a registry entry in HKLM- or HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run pointing to a ~54-KB file in the Windows System folder.- files mscolmon.ocx and Humgly.lkur in the Windows System folder. TECHNICAL DESCRIPTION: This virus was written in Visual Basic and packed with UPX; many of the strings in its body are encrypted.It arrives attached to an email; the format of the email may vary; here are some possibilities: (German version): Subject: Hihi, ich war auf deinem Computer Du bist Ge-Hackt worden Ich habe Sie Ge-hackt Der Kannibale von Rotenburg Attachment: Daten-Text.pif DateiList.pif Server.com (English version): Subject: George W. Bush plans new wars George W. Bush wants a new war You Got Hacked Have you been hacked? Attachment: www.gwbush-new-wars.com www.hcket-user-pcs.com yourlist.pif allfiles.cmd When run, it will sometimes display the following message:  It will create one or more copies of itself in the Windows System folder (using one of multiple possible names) and a registry entry (as described in Symptoms) that will run the virus at start-up. The virus may run multiple copies of itself that monitor each other and respawn an instance of the virus that is terminated by the user; the virus also monitors if the registry entry is deleted, and re-creates it if so. Sometimes, if the user tries to terminate one of the instances of the virus, it will create many copies of itself with random 8-digit names and .exe extensions in the Windows System folder, and run them (each one for just a short time before running the next one). The virus looks for email addresses in files with one of the following extensions: htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo. It sends messages in the format described above, using its own SMTP client functions. Email addresses are put down in mscolmon.ocx in the Windows System folder. It overwrites the start of files shared with Kazaa (and maybe other file-sharing applications too) with its body, and it may propagate using these networks. Removal instructions: Manual Removal:Manual Removal is difficult because there may be two or three copies of the virus running and respawning each other. You might want to try to kill the instances of the virus (using Task Manager) and then delete the files and registry entries described above. Automatic Removal: Let BitDefender delete infected files. ANALYZED BY: Bogdan DraguBitDefender Virus Researcher |