Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.Sober.g, WORM_SOBER.G, W32/Sober.g@MM
Type:Worm 
Size:49,661 Bytes 
Origin:unknown 
Date:05-15-2004 
Damage:Overwrites files 
VDF Version:6.25.00.60 
Danger:Medium 
Distribution:Medium 

DistributionSend itself by email, using its own SMTP engine.

Technical DetailsWhen activated, Worm/Sober.G opens a "File not found" window, with the message "Special-UnZip Data-Module is missing Open with Notepad?". When "yes" button is pressed, the worm creates the file "converted_%filename%.txt", where %filename% is the worm's name. In this file it writes random characters and numbers and opens it with Notepad.

Then the worm is installed in the system and copied in Windows System directory under a random name and having an .exe extension. The name of this file is made out of the following string list:
- sys
- host
- dir
- expolrer
- win
- run
- log
- 32
- disc
- crypt
- data
- diag
- spool
- service
- smss32

Then the worm creates the entries in the Windows registry. The name is as above described. These are the entries:
-[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"%random%" = "%WinSysDIR%\%random%.exe"

-[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"%random%" = "%WinSysDIR%\%random%.exe"

Then it creates the following files in Windows System:
- bcegfds.lll
- zhcarxxi.vvx
- cvqaikxt.apk

These 0 Bytes files are used to deactivate the earlier Sober versions on already infected systems.

The following two files are also created:
- xdatxzap.zxp
- datsobex.wwr

These are a MIME-encoded copy of the executable file of the virus and a ZIP archive with the worm's file. It uses these files for e-mail spreading. It also creates the NoSpam.readme file in Windows system and writes the contents in German.

The worm searches on all hard-disks for files with the following extension, to collect e-mail addresses:
- pmr
- stm
- slk
- inbox
- imb
- csv
- bak
- imh
- xhtml
- imm
- imh
- cms
- nws
- vcf
- ctl
- dhtm
- cgi
- pp
- ppt
- msg
- jsp
- oft
- vbs
- uin
- ldb
- abc
- pst
- cfg
- mdw
- mbx
- mdx
- mda
- adp
- nab
- fdb
- vap
- dsp
- ade
- sln
- dsw
- mde
- frm
- bas
- adr
- cls
- ini
- ldif
- log
- mdb
- xml
- wsh
- tbb
- abx
- abd
- adb
- pl
- rtf
- mmf
- doc
- ods
- nch
- xls
- nsf
- txt
- wab
- eml
- hlp
- mht
- nfo
- php
- asp
- shtml
- dbx

The collected e-mail addresses are stored in 3 files on Windows system:
- winzweier.dats
- wincheck32.dats
- winexpoder.dats

When the worm is in memory, it blocks the access to these files and to MIME-encoded and executable files. It ignores e-mail addresses that contain:
- hotmail.com
- google.com
- microsoft.com
- bigfoot.com
- yahoo.com
- t-online.de

The worm sends e-mail messages in English and German, having an attachment. The attached file is an executable or a ZIP archive.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .