Contact
About Avira
Press
Beta test
Language:
English
English
Deutsch
Français
Español
Italiano
Português
Русский
For Home
Avira Antivirus Premium
Avira Internet Security
For Business
Client/Servers
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
Small Business
Managed Services
Gateways
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding & Bundling
Integration Services
Educational Discount
Support
For Home
Overview
Latest News
Video Tutorials
Knowledgebase
For Business
Overview
Latest News
Knowledgebase
Virus Lab
Virus Descriptions
Statistics
VDF History
About Malware
Viruses In the Wild
Submit Suspicious File
Download
Product Downloads
Technical Documentation
Product Lifecycle
VDF Update
Partner
Partner Locator
Become an Avira Partner
Affiliate
Free
Download
Search
Summary
Full description
Statistics
Alias:
I-Worm.Sober.b
Type:
Worm
Size:
54,784 bytes
Origin:
unknown
Date:
12-18-2003
Damage:
Sends itself by email
VDF Version:
6.23.00.13
Danger:
Low
Distribution:
Medium
General Description
Worm/Sober.B is programmed in Visual Basic 6 and has a size of 54,784 bytes. It sends itself using its own SMTP engine to all email addresses it can find on the local system.
Symptoms
When activating the worm, a false dialog box appears informing about an error: "Header is missing".
Distribution
* Sends itself by email, using its own SMTP engine.
Technical Details
The worm Sober.B was developed in Visual Basic 6 and packed with UPX, thus hiding the viral code. The size of the attachment in a Worm/Sober.B email can be different. The worm chooses random characters for the end of the file and so the size of the files can vary between 54 and 60 kbytes.
When the attachment is open, a window appears with the message "Header is missing". In background, the worm Sober.B copies itself on:
* C:\Windows\%System%\%random filename1%.exe (54.784 Bytes)
* C:\Windows\%System%\%random filename2%.exe (54.784 Bytes)
* C:\Windows\%System%\spooler.exe (54.784 Bytes)
* C:\Windows\%System%\mscolmon.ocx
The file "mscolmon.ocx" contains the email addresses found by the malware. Using its own STMP engine the worm Sober.B sends itself to these addresses. It looks for them on the local workstation in the files with the following extensions:
* .htt
* .rtf
* .doc
* .xls
* .ini
* .mdb
* .txt
* .htm
* .html
* .wab
* .pst
* .fdb
* .cfg
* .ldb
* .eml
* .abc
* .ldif
* .nab
* .adp
* .mdw
* .mda
* .mde
* .ade
* .sln
* .dsw
* .dsp
* .vap
* .php
* .asp
* .shtml
* .shtm
Worm/Sober.B infects the files in "My Shared Folder" and so it can spread using filesharing programs (P2P) as Kazaa or Emule.
The worm starts in two instances, so it is running in two places simultaneously in the system. If one of the processes is terminated, the other will establish its absence. The file spooler.exe, inserted by the worm, will restart the deactivated process. The names of the both processes are randomly generated and are not identical to the viral .EXE files. The user has no chance of terminating the both processes at the same time, using Task Manager.
If one attempts to remove the Auto Start entry of the active worm, it immediately writes itself back into the registry. This behavior is obtained with a Visual Basic Timer Object, which periodically checks the registry for this Autorun entry.
The worm enters the following register keys, which can have random names:
* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
The subject of the email the worm Sober.B sends has one of the following lines:
* George W. Bush wants a new war
* George W. Bush plans new wars
* Have you been hacked?
* You Got Hacked
* Hihi, ich war auf deinem Computer
* Der Kannibale von Rotenburg
* Du bist Ge-Hackt worden
* Ich habe Sie Ge-hackt
The name of the attachment will be randomly chosen from the following list:
* allfiles.cmd
* Files-Text.pif
* FilesList.pif
* Server.com
* yourlist.pif
* www.gwbush-new-wars.com
* www.hcket-user-pcs.com
The mail sent by the worm Sober.B can look like this:
Subject:
Re: George W.Bush plans new wars
Body:
Bush plans new wars again China, Cuba and Iran.
Please visit our website and vote against this very crazy war(s).
More information:
Attachment:
www.gwbush-new-wars.com
or
Subject:
Ich habe Sie Ge-hackt
Body:
Du fragst dich sicherlich, was ich alles von Dir habe,
siehe selbst
Attachment:
Files-Text.pif
or
Subject:
Fwd: Der Kannibale von Rotenburg
Body:
Entschuldigen Sie bitte diese überaus deutliche Betreffzeile!
Aber ein neuer Dialer macht mit dieser Überschrift unzählige User zu
Opfern.
Die User werden mit dem versprechen gelockt, sich das äusserts abscheuliche Tat-
Video anzuschauen zu dürfen. Stattdessen aber, installiert sich ein sehr teurer Dialer
und ein Virus
auf dem PC.
Da aber unzählige User auf diese Finte hereinfallen, haben wir mit
Zustimmung des Bundeskriminalamtes BKA, eine Web-Seite erstellt, wo einige dieser
äusserts brisanten Fotos und Videos einzusehen sind, um den Leuten die Neugier zu
nehmen.
Natürlich sind diese Videos und Fotos leicht zensiert worden.
Um auf diesen Web-Server zu gelangen, müssen Sie zuerst bestätigen, dass
Sie das 18 Lebensjahr bereits vollendet haben.
Wir bitten sie ausdrücklichst, keine Kinder diese Seite einsehen zu
lassen.
I.A.: Dieter BXXXXn
----- MultiMedia AG München ia. BKA (ORG. Rund-Mail V6.02)
----- Geschäftsführer: Michael LXXXXXXxn (xxxxxxx) FAX: xxxxxx
Attachment:
Server.com
or
Subject:
You Got Hacked
Body:
by me, idiot!
haha, very nice files on your system.
i've made a website. i show your files on this website hahaha
visit:
Attachment:
www.hcket-user-pcs.com
Manual Remove Instructions
- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.
Delete the following files:
* C:\%WinDir%\System32\<%var. Filename1%>.exe (54.784 Bytes)
* C:\%WinDir%\System32\<%var. Filename2%>.exe (54.784 Bytes)
* C:\%WinDir%\System32\spooler.exe (54.784 Bytes)
* C:\%WinDir%\System32\mscolmon.ocx
Start "regedit" after that and delete the following registry entries:
* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
Restart your computer.
- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.
Delete the following files:
* C:\%WinDir%\System\<%var. filename1%>.exe (54.784 Bytes)
* C:\%WinDir%\System\<%var. filename2%>.exe (54.784 Bytes)
* C:\%WinDir%\System\spooler.exe (54.784 Bytes)
* C:\%WinDir%\System\mscolmon.ocx
Start "regedit" after that and delete the following registry entries:
* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004
Back
.
.
.
.
