Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


W32.SOBER.X@MM SPREADING IN THE WILD

Virus Name  : W32.Sober.X@mm

Alias             : I-Worm.Sober.Y, WORM_SOBER.AG, Sober.X, W32/Sober-Gen

Virus type    : Internet worm

Threat level : Medium

Virus details :

                     Sober.X is a mass mailing worm uses e-mail addresses collected from the system to distribute infected mails. The worm uses its own SMTP engine to spread. The infected mail will be in English or German.

The infected mail subject in English will be one of the following

Your Password
Registration Confirmation
smtp mail failed
Mail delivery failed
hi, ive a new mail address
You visit illegal websites
Your IP was logged
Paris Hilton & Nicole Richie

The infected mail Attachment name in English will be one of the following

mailtext.zip
mail.zip
reg_pass.zip
mail.zip
reg_pass-data.zip
question_list.zip
list.zip
downloadm
mail_body.zip

The infected mail message body in English will be one of the following

hey its me, my old address dont work at time. i dont know why?!

in the last days ive got some mails. i' think thaz your mails but im not sure!

plz read and check ...

cyaaaaaaa

---

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.

The full mail-text and header is attached

---

Account and Password Information are attached!

***** Go to: http://www.{random}.com
***** Email: {random}.com

---

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

---

Account and Password Information are attached! ---

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)

Download is free until Jan, 2006!

Please use our Download manager.

The attached .ZIP file contains the copy of this worm using the file name File-packed_dataInfo.exe.

The infected mail sample is given below

                     When the infected e-mail attachment is executed, it displays a fake error message "Error in packed Header" with title "WinZip Self-Extractor" and copies to %WINDOWS%\WinSecurity\services.exe. It also drops SMSS.EXE, CSRSS.EXE, and data files in the infected system.Then it modifies the registry to load automatically on next startup. The registry key modification is given below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "_Windows"="%WINDOWS%\WinSecurity\services.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "_Windows"="%WINDOWS%\WinSecurity\services.exe"

                     Sober.X worm collects e-mail address from the following files

.abc
.abd
.abx
.adb
.ade
.adp
.adr
.asp
.bak
.bas
.cfg
.cgi
.cls
.cms
.csv
.ctl
.dbx
.dhtm
.doc
.dsp
.dsw
.eml
.fdb
.frm
.hlp
.imb
.imh
.imh
.imm
.inbox
.ini
.jsp
.ldb
.ldif
.log
.mbx
.mda
.mdb
.mde
.mdw
.mdx
.mht
.mmf
.msg
.nab
.nch
.nfo
.nsf
.nws
.ods
.oft
.php
.phtm
.pl
.pmr
.pp
.ppt
.pst
.rtf
.shtml
.slk
.sln
.stm
.tbb
.txt
.uin
.vap
.vbs
.vcf
.wab
.wsh
.xhtml
.xls
.xml

                   This worm is also known as I-Worm.Sober.Y, WORM_SOBER.AG, Sober.X, W32/Sober-Gen Sober.X variant appeared on 21nd November 2005.

How can I protect my system?

                   Solo has incorporated W32.Sober.X@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Sober.X@mm safely. Use the following link to Download 30 day trial version of Solo antivirus [2202 to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VBS, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link