My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sober.C@mm

LOW
MEDIUM
~72 KBytes

Symptoms

- Presence of the next files in %SYSTEM% folder:

syshostx.exe (~72 KBytes)
savesys.dll
humgly.lkur
yfjq.yqwm


as well as another two copies of syshostx.exe with random names.

- Presence of a registry key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


pointing to a copy of the virus in %SYSTEM% folder.

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:

Manual Removal

Manual Removal is difficult because there may be two or three copies of the virus running and respawning each other. You might want to try to kill the instances of the virus (using Task Manager) and then delete the files and registry entries described above.

Automatic Removal:

Let BitDefender delete infected files.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

As its predecessors, it's written in Visual Basic and it's packed with Upx.
It spreads via e-mail and uses it's own SMTP engine to send itself.

The worm practically composes the e-mail from fixed substrings,
resulting in a large number of possible e-mail formats:

Subjects:

German:
Betr: Klassentreffen
Testen Sie ihren IQ
Bankverbindungs- Daten
Neuer Dialer Patch!
Ermittlungsverfahren wurde eingeleitet
Ihre IP wurde geloggt
Sie sind ein Raubkopierer
Sie tauschen illegal Dateien aus
Ich hasse dich
Ich zeige sie an!
Sie Drohen mir!!
Anime, Pokemon, Manga, Handy ...
Anmeldebest
Neu! Legales Filesharing
Umfrage: Rente erst mit 80!
du wirst ausspioniert
Ein Trojaner ist auf Ihrem Rechner!
Du hast einen Trojaner drauf!
Hi, Ich bin's


English:
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Attention: To all gamers
Caution: To all gamers
registration confirmation



Body:
(can contain - examples):

Here, the DigiCam photos. A few are overexposed.
That you've killed this bastard.
That you have paid for me!
And that's your list, too!
A new worm spread via online gaming!
You must change your internet configuration!!
More than 75.000 freeware games!!!
You say in the www. that i\'m a terrorist!!!
No way out for you. I REPORT YOU !
You\'ve said THAT about me
I said, I love you..,, and you said NOTHING
Downloading of Movies, MP3s and Software is illegal and punishable by law.
Pokemon, YU-GI-OH, DragonballZ, BeyBlade, Ranma 1/2, and and and


Attachments:
www.iq4you-german-test.com
www.freewantiv.com
www.free4manga.com
www.free4share4you.com
www.tagespolitik-umfragen.com
www.freegames4you-gzone.com
www.boards4all-terror432.com
www.anime4allfree.com
www.animepage43252.com
downloader.exe

Also, the attachment name may be composed of

yourmail.
doc.
reward.
youtoo.
set_config.
idiot.
painfulness.
terror-list.
account.
credit card.
yourregistration.
letters.
computer.
mangaconection.
SysDial-patch.
DrohMails.
Klassenfoto.
sharedfree.
Zugangsdaten.
Abstimmen.
alledigis.


and an extension: bat pif exe com (example: youtoo.com)


When run, the worm will do:

- create copy of itself, syshostx.exe in %SYSTEM% folder
- also create 2 more randomly named copies of itself in %SYSTEM% folder
- create the registry hey described in Symptoms
- sometimes show fake message boxes.


The copies of the virus are for backup purposes. If one of them is killed/deleted, the worm will spawn to disk and run another copy.

The virus looks for email addresses in files with one of the following extensions:
htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo.

and stores them in file savesyss.dll in %SYSTEM% folder.

It also creates two more files in %SYSTEM% folder, humgly.lkur and yfjq.yqwm