Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


W32.SOBER.O@MM SPREADING IN THE WILD

Virus Name  : W32.Sober.O@mm

Alias             : I-Worm.Sober.O, W32/Sober.P@mm, W32/Sober-N, WORM_SOBER.S, Sober.P, Sober.V

Virus type    : Internet worm

Threat level : Medium

Virus details :

                     Sober.O is a mass mailing worm uses e-mail addresses collected from the system to distribute infected mails. The worm uses its own SMTP engine to spread. The infected mail will be in English or German.

The infected mail subject in English will be one of the following

Re:
Your Password
Registration Confirmation
Your email was blocked
mailing error
FwD: Your Password
FwD: mailing error

The infected mail subject in German will be one of the following

Glueckwunsch: Ihr WM Ticket
Ich bin's, was zum lachen ;)
Ihr Passwort
Ihre E-Mail wurde verweigert
Mail-Fehler!
WM Ticket Verlosung
WM-Ticket-Auslosung
Ich habe Ihre E-Mail bekommen

The infected mail Attachment name in English will be one of the following

mail_info.zip
our_secret.zip
error-mail_info.zip
account_info.zip
account_info-text.zip

The infected mail Attachment name in German will be one of the following

LOL.zip
autoemail-text.zip
_PassWort-Info.zip
Fifa_Info-Text.zip
okTicket-info.zip

The infected mail message body in English will be one of the following

ok ok ok,,,,, here is it

Account and Password Information are attached!
Visit: (Random URL)

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

Adds one of the following texts randomly to the above-mentioned strings.

AntiVirus: No Virus found
Attachment-Scanner: Status OK
Server-AntiVirus: No Virus (Clean)
(Random URL)

The infected mail message body in German will be one of the following

Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http:/ /www.[Random URL]
Folgende Fehler sind aufgetreten:
Fehler konnte nicht Explicit ermittelt werden
Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.
Wir bitten Sie, dieses zu beruecksichtigen.
Auto ReMailer#

Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
(Random URL)
*-* MailTo: PasswordHelp

Nun sieh dir das mal an
Was ein Ferkel ....

Herzlichen Glueckwunsch,
beim Run auf die begehrten Tickets fr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie
dabei.Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

St. Rainer Gellhaus
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

Adds one of the following texts randomly to the above-mentioned strings.

AntiVirus: Kein Virus gefunden
Mail-Scanner: Es wurde kein Virus festgestellt
AntiVirus-System: Kein Virus erkannt
WebSite: (Random URL)

The infected mail sample is given below

                     When the infected e-mail attachment is executed, it displays a fake error message "Error: CRC not complete" with title "WinZip Self-Extractor" and copies to %WINDOWS%\Connection Wizard\Status\services.exe. It also drops SMSS.EXE, CSRSS.EXE, and data files in the infected system.Then it modifies the registry to load automatically on next startup. The registry key modification is given below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "WinStart"="%WINDOWS%\Connection Wizard\Status\services.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "WinStart"="%WINDOWS%\Connection Wizard\Status\services.exe"

                     Sober.O worm collects e-mail address from the following files

.abc
.abd
.abx
.adb
.ade
.adp
.adr
.asp
.bak
.bas
.cfg
.cgi
.cls
.cms
.csv
.ctl
.dbx
.dhtm
.doc
.dsp
.dsw
.eml
.fdb
.frm
.hlp
.imb
.imh
.imh
.imm
.inbox
.ini
.jsp
.ldb
.ldif
.log
.mbx
.mda
.mdb
.mde
.mdw
.mdx
.mht
.mmf
.msg
.nab
.nch
.nfo
.nsf
.nws
.ods
.oft
.php
.phtm
.pl
.pmr
.pp
.ppt
.pst
.rtf
.shtml
.slk
.sln
.stm
.tbb
.txt
.uin
.vap
.vbs
.vcf
.wab
.wsh
.xhtml
.xls
.xml

                   This worm is also known as I-Worm.Sober.O, W32/Sober.P@mm, W32/Sober-N, WORM_SOBER.S, or Sober.P. Sober.O variant appeared on 2nd May 2005.

How can I protect my system?

                   Solo has incorporated W32.Sober.O@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Sober.O@mm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VBS, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link