Win32.Sober.C@mm
SYMPTOMS: - Presence of the next files in %SYSTEM% folder:syshostx.exe (~72 KBytes) savesys.dll humgly.lkur yfjq.yqwm as well as another two copies of syshostx.exe with random names. - Presence of a registry key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] pointing to a copy of the virus in %SYSTEM% folder. where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems) %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems. TECHNICAL DESCRIPTION: As its predecessors, it's written in Visual Basic and it's packed with Upx.It spreads via e-mail and uses it's own SMTP engine to send itself. The worm practically composes the e-mail from fixed substrings, resulting in a large number of possible e-mail formats: Subjects: German: Betr: Klassentreffen Testen Sie ihren IQ Bankverbindungs- Daten Neuer Dialer Patch! Ermittlungsverfahren wurde eingeleitet Ihre IP wurde geloggt Sie sind ein Raubkopierer Sie tauschen illegal Dateien aus Ich hasse dich Ich zeige sie an! Sie Drohen mir!! Anime, Pokemon, Manga, Handy ... Anmeldebest Neu! Legales Filesharing Umfrage: Rente erst mit 80! du wirst ausspioniert Ein Trojaner ist auf Ihrem Rechner! Du hast einen Trojaner drauf! Hi, Ich bin's English: Sorry, that's your mail hi, its me Thank You very very much you are an idiot why me? I hate you Preliminary investigation were started Your IP was logged You use illegal File Sharing ... A Trojan horse is on your PC a trojan is on your computer! Anime, Pokemon, Manga, ... Attention: To all gamers Caution: To all gamers registration confirmation Body: (can contain - examples): Here, the DigiCam photos. A few are overexposed. That you've killed this bastard. That you have paid for me! And that's your list, too! A new worm spread via online gaming! You must change your internet configuration!! More than 75.000 freeware games!!! You say in the www. that i\'m a terrorist!!! No way out for you. I REPORT YOU ! You\'ve said THAT about me I said, I love you..,, and you said NOTHING Downloading of Movies, MP3s and Software is illegal and punishable by law. Pokemon, YU-GI-OH, DragonballZ, BeyBlade, Ranma 1/2, and and and Attachments: www.iq4you-german-test.com www.freewantiv.com www.free4manga.com www.free4share4you.com www.tagespolitik-umfragen.com www.freegames4you-gzone.com www.boards4all-terror432.com www.anime4allfree.com www.animepage43252.com downloader.exe Also, the attachment name may be composed of yourmail. doc. reward. youtoo. set_config. idiot. painfulness. terror-list. account. credit card. yourregistration. letters. computer. mangaconection. SysDial-patch. DrohMails. Klassenfoto. sharedfree. Zugangsdaten. Abstimmen. alledigis. and an extension: bat pif exe com (example: youtoo.com) When run, the worm will do: - create copy of itself, syshostx.exe in %SYSTEM% folder - also create 2 more randomly named copies of itself in %SYSTEM% folder - create the registry hey described in Symptoms - sometimes show fake message boxes. The copies of the virus are for backup purposes. If one of them is killed/deleted, the worm will spawn to disk and run another copy. The virus looks for email addresses in files with one of the following extensions: htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo. and stores them in file savesyss.dll in %SYSTEM% folder. It also creates two more files in %SYSTEM% folder, humgly.lkur and yfjq.yqwm Removal instructions: Manual RemovalManual Removal is difficult because there may be two or three copies of the virus running and respawning each other. You might want to try to kill the instances of the virus (using Task Manager) and then delete the files and registry entries described above. Automatic Removal: Let BitDefender delete infected files. ANALYZED BY: Patrik Vicol BitDefender Virus Researcher |
