Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Alias:WORM_SOBER.GEN (Trend Micro)
Type:Worm 
Size:73.541 bytes 
Origin: 
Date:04-19-2005 
Damage: 
VDF Version:6.30.00.113 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Symptoms[Damage routine]
- Email sending

Technical DetailsIf Worm/Sober.O is executed, it opens the Notepad editor and displays the text "UnPack failed", followed by different strings:

http://www.antivir.de/fileadmin/viruslab/sobero.JPG

The worm creates the following files:

\<%Windir%>\Config\System\maddys.xyz

\%<Windir%>\Config\System\Services.exe

\<%Windir%>\Config\System\zipped.wrm ( packed with Base64 )

The following entries are created in the Windows Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"SystemCheck"="C:\\%WinDIR%\\Config\\system\\services.exe"

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run]
"_SystemCheck"="C:\\\%WinDIR%\\Config\\system\\servic es.exe"
Worm/Sober.O is able to send both English and German emails.
The virulent emails of the virus Worm/Sober.O are sent to diverse spamlists. An email has the following content:

-FROM: %spoofed%

-SUBJECT: I've_got your EMail on my_account!

-BODY:

Hello,

First, Very Sorry for my bad English.

Someone is sending your private e-mails on my address. It's probably an e-mail provider error! At time, I've got over 10 mails on my account, but the recipient are you.

I have copied all the mail text in the windows text-editor for you & zipped then. Make sure, that this mails don't come in my mail-box again.

bye

-ATTACHMENT: your_text.zip

or

-FROM: %spoofed%

-SUBJECT: FwD: Ich bin's nochmal

-BODY:

Verdammt,,,,

ich hatte vergessen Dir meinen Text mitzuschicken.

Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!

Ich melde mich.

Bis bald ;)

-ATTACHMENT: Private-Texte.zip

If the email's attachment (ZIP archive) gets unpacked, the file "mail.document.Datex-packed.exe" is created.

The worm searches for email addresses into files with the following extensions on the local disks:

.abc
.abd
.abx
.adb
.ade
.adp
.adr
.asp
.bak
.bas
.cfg
.cgi
.cls
.cms
.csv
.ctl
.dbx
.dhtm
.doc
.dsp
.dsw
.eml
.fdb
.frm
.hlp
.imb
.imh
.imm
.inbox
.ini
.jsp
.ldb
.ldif
.log
.mbx
.mda
.mdb
.mde
.mdw
.mdx
.mht
.mmf
.msg
.nab
.nch
.nfo
.nsf
.nws
.ods
.oft
.php
.phtm
.pl
.pmr
.pp
.ppt
.pst
.rtf
.shtml
.slk
.sln
.stm
.tbb
.txt
.uin
.vap
.vbs
.vcf
.wab
.wsh
.xhtml
.xls
.xml

Emailaddresses which contain one of the following strings are not sent anymore by the worm:

-dav
.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
detection
domain.
emsisoft
ewido.
free-av
freeav
ftp.
gold-certs
google
host.
icrosoft.
ipt.aol
law2
linux
mailer-daemon
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
office
password
postmas
reciver@
secure
service
smtp-
somebody
someone
spybot
sql.
subscribe
support
t-dialin
t-ipconnect
test@
time
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .