My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sober.D@mm

LOW
LOW
33792 bytes
(N/A)

Symptoms

Presence of registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce

with a value formed with the folowing words:

sys,host,dir,explorer,win,run,log,32,disc,crypt,data,diag,spool,service,smss32

pointing to a file in Windows Directory whose name is formed with the above words too, and the presence of that file.

Removal instructions:

Let BitDefender automaticall delete all files found infected with this worm.

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

The worm comes by mail in the following form, in German or English language:

From:
Spoofed email address using one of these names:
Info, Center, UpDate, News, Help, Studio, Alert, Patch, Security
and one of these hosts:
microsoft.com, microsoft.de, microsoft.at, microsoft.ch, microsoft.li
For instance, a spoofed email address could be: Info@microsoft.com

Subject:
Microsoft Alert: Please Read!
or
Microsoft Alarm: Bitte Lesen!

Body text 1:
New MyDoom Virus Variant Detected!

A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.


Body text 2:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.

Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorgänger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefährlichen Trojaner!

Führende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.
Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schädling zu schützen!


Attachment:
Can be ZIP or EXE with the following names, may be followed by a few digits:
sys-patch
MS-UD
MS-Security
Security
Patch



Once executed, the worm copies itself to Windows System directory with a name built with a combination of the following words:
sys,host,dir,explorer,win,run,log,32,disc,crypt,data,diag,spool,service,smss32

Displays a message box with the following text:
This patch has been successfully installed.
or
This patch does not need to be installed on this system.

For example, if C:\Windows\System is the Windows System directory, a worm name could be:
C:\Windows\System\runspooldir.exe

The worm creates the following registry key so as to run each time Window starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce
with a value built using the same words above, pointing to the worm executable copied in Windows System directory.

For gathering email addresses, it search the system for files with the following extensions:
ini, log, mdb, tbb, abd, adb, pl, rtf, doc, xls, txt, wab, eml, php, asp, shtml, dbx, wab, tbb, abd, adb, pl

For sending mail, the worm uses two temporary files, that are the MIME encoding of the worm executable or zip:
%SYSTEM%\wintmpx33.dat
%SYSTEM%\temp32x.data