Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


SERVICES.EXE PROCESS INFORMATION

Process Name  : Services.exe

Process Path : %WINDOWS%\PoolData\services.exe [ please note that Windows services.exe will load from %Windows%\System32 folder ]

Malware Name  : W32.Sober.AA@mm

Alias             : I-Worm/Sober.AA, Email-Worm.Win32.Sober.aa, Win32/Sober.AA, WORM_SOBER.AX, W32/Sober-AD.

Process Type    : Mass mailing Internet worm

Threat level : Medium

Process details :

                     Services.exe is dropped by Sober worm in Windows PoolData folder. It is a mass mailing worm uses e-mail addresses collected from the system to distribute infected mails. The worm uses its own SMTP engine to spread. The infected mail will be in English or German.

The infected mail subject in English will be one of the following

Error in your eMail
Your Updated Password!

The infected mail Attachment name in English will be one of the following

Passw_Data.zip
Mail_Data.zip

The infected mail message body in English will be one of the following

You notified us that you have forgotten your password.We have changed your password to a random sequence of letters and digits! For more detailed information, see the attached password file ...

Your eMail has occurred an unknown error on our Server.Please read your mail and check the text.The full email is attached!

                  When the infected e-mail attachment is executed, it displays a fake error message "WinZip Header is missing!" with title "WinZip Self-Extractor" and copies to %WINDOWS%\PoolData\services.exe. It also drops SMSS.EXE, CSRSS.EXE, and data files in the infected system. Then it modifies the registry to load automatically on next startup. The registry key modification is given below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "WinData"="%WINDOWS%\PoolData\services.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "_WinData"="%WINDOWS%\PoolData\services.exe"

                     Sober.AA worm collects e-mail address from the following files

.abc
.abd
.abx
.adb
.ade
.adp
.adr
.asp
.bak
.bas
.cfg
.cgi
.cls
.cms
.csv
.ctl
.dbx
.dhtm
.doc
.dsp
.dsw
.eml
.fdb
.frm
.hlp
.imb
.imh
.imh
.imm
.inbox
.ini
.jsp
.ldb
.ldif
.log
.mbx
.mda
.mdb
.mde
.mdw
.mdx
.mht
.mmf
.msg
.nab
.nch
.nfo
.nsf
.nws
.ods
.oft
.php
.phtm
.pl
.pmr
.pp
.ppt
.pst
.rtf
.shtml
.slk
.sln
.stm
.tbb
.txt
.uin
.vap
.vbs
.vcf
.wab
.wsh
.xhtml
.xls
.xml

                   This worm is also known as I-Worm/Sober.AA, Email-Worm.Win32.Sober.aa, Win32/Sober.AA, WORM_SOBER.AX, W32/Sober-AD. Sober.AA variant appeared on 1st May 2007.

How can I protect my system?

                   Solo has incorporated Sober.AA infected services.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Sober.AA@mm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VBS, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link