I-Worm.Sober.s

Category:	Internet Worm (E-Mail)
Risk:	Medium
Length:	113'551 Bytes
Platform:	Windows 95, 98, Me, NT, 2000, Windows Server 2003, Windows XP
Aliases:	W32/Sober.gen@MM (McAfee), Win32.HLLM.Generic.374 (Doctor Web), W32/Sober-O (Sophos), Win32.Sober.S@mm (SOFTWIN), W32/Sober.Y.worm (Panda), Win32/Sober.R (Eset)
Date discovered:	10/06/2005
Added to virus database:	10/06/2005
In-The-Wild / Epidemic:	Yes

Description

This worm spreads via the Internet as an attachment to infected messages. It sends itself to addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file written in Visual Basic and packed using UPX.

The worm arrives in a ZIP archive attached to infected messages. The archive contains the worm's executable file. Infected messages are in either English or German.
Message subject

Fwd: Klassentreffen
Your new Password

Message body

ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry fr die
belstigung ;)

liebe gr

Your password was successfully changed!
Please see the attached file for detailed information.

Signature (chosen at random from the list below):

Rita
Sandra
Nicole
Hannelore
Kerstin
Elke

Attachment name:

KlassenFoto.zip
pword_change.zip

The worm harvests addresses from files with the following extensions:

abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml

It establishes a direct connection to the recipient's SMTP server to send messages.

It does not harvest addresses containing the following text strings:

aero
com
coop
edu
gov
info
int
museum
name
net
org
pro

Back to the virus-list