Contact
A propos d'Avira
Presse
Version bêta
Language:
Français
English
Deutsch
Français
Español
Italiano
Português
Русский
Particuliers
Avira Antivirus Premium
Avira Internet Security
Entreprises
PC/serveurs
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
PME
Services hébergés
Passerelles
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Intégration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding et regroupement
Services d’intégration
Remise Enseignement
Support
Particuliers
Aperçu
Dernières actualités
Tutoriels vidéo
Base de connaissances
Entreprises
Aperçu
Dernières actualités
Base de connaissances
Laboratoire antivirus
Descriptions de virus
Statistiques
Historique VDF
Virus "In the Wild"
Science des virus
Soumettre le Fichier Suspect
Téléchargements
Téléchargement produits
Documentation technique
Cycle de vie des produits
Mise à jour VDF
Partenaires
Trouver un partenaire
Devenir partenaire Avira
Société affiliée
Version gratuite
Télécharger
Rechercher
Brève description
Description complète
Statistiques
Alias:
I-Worm.Sober.b
Type:
Worm
Size:
54,784 bytes
Origin:
unknown
Date:
12-18-2003
Damage:
Sends itself by email
VDF Version:
6.23.00.13
Danger:
Low
Distribution:
Medium
General Description
Worm/Sober.B is programmed in Visual Basic 6 and has a size of 54,784 bytes. It sends itself using its own SMTP engine to all email addresses it can find on the local system.
Symptoms
When activating the worm, a false dialog box appears informing about an error: "Header is missing".
Distribution
* Sends itself by email, using its own SMTP engine.
Technical Details
The worm Sober.B was developed in Visual Basic 6 and packed with UPX, thus hiding the viral code. The size of the attachment in a Worm/Sober.B email can be different. The worm chooses random characters for the end of the file and so the size of the files can vary between 54 and 60 kbytes.
When the attachment is open, a window appears with the message "Header is missing". In background, the worm Sober.B copies itself on:
* C:\Windows\%System%\%random filename1%.exe (54.784 Bytes)
* C:\Windows\%System%\%random filename2%.exe (54.784 Bytes)
* C:\Windows\%System%\spooler.exe (54.784 Bytes)
* C:\Windows\%System%\mscolmon.ocx
The file "mscolmon.ocx" contains the email addresses found by the malware. Using its own STMP engine the worm Sober.B sends itself to these addresses. It looks for them on the local workstation in the files with the following extensions:
* .htt
* .rtf
* .doc
* .xls
* .ini
* .mdb
* .txt
* .htm
* .html
* .wab
* .pst
* .fdb
* .cfg
* .ldb
* .eml
* .abc
* .ldif
* .nab
* .adp
* .mdw
* .mda
* .mde
* .ade
* .sln
* .dsw
* .dsp
* .vap
* .php
* .asp
* .shtml
* .shtm
Worm/Sober.B infects the files in "My Shared Folder" and so it can spread using filesharing programs (P2P) as Kazaa or Emule.
The worm starts in two instances, so it is running in two places simultaneously in the system. If one of the processes is terminated, the other will establish its absence. The file spooler.exe, inserted by the worm, will restart the deactivated process. The names of the both processes are randomly generated and are not identical to the viral .EXE files. The user has no chance of terminating the both processes at the same time, using Task Manager.
If one attempts to remove the Auto Start entry of the active worm, it immediately writes itself back into the registry. This behavior is obtained with a Visual Basic Timer Object, which periodically checks the registry for this Autorun entry.
The worm enters the following register keys, which can have random names:
* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
The subject of the email the worm Sober.B sends has one of the following lines:
* George W. Bush wants a new war
* George W. Bush plans new wars
* Have you been hacked?
* You Got Hacked
* Hihi, ich war auf deinem Computer
* Der Kannibale von Rotenburg
* Du bist Ge-Hackt worden
* Ich habe Sie Ge-hackt
The name of the attachment will be randomly chosen from the following list:
* allfiles.cmd
* Files-Text.pif
* FilesList.pif
* Server.com
* yourlist.pif
* www.gwbush-new-wars.com
* www.hcket-user-pcs.com
The mail sent by the worm Sober.B can look like this:
Subject:
Re: George W.Bush plans new wars
Body:
Bush plans new wars again China, Cuba and Iran.
Please visit our website and vote against this very crazy war(s).
More information:
Attachment:
www.gwbush-new-wars.com
or
Subject:
Ich habe Sie Ge-hackt
Body:
Du fragst dich sicherlich, was ich alles von Dir habe,
siehe selbst
Attachment:
Files-Text.pif
or
Subject:
Fwd: Der Kannibale von Rotenburg
Body:
Entschuldigen Sie bitte diese überaus deutliche Betreffzeile!
Aber ein neuer Dialer macht mit dieser Überschrift unzählige User zu
Opfern.
Die User werden mit dem versprechen gelockt, sich das äusserts abscheuliche Tat-
Video anzuschauen zu dürfen. Stattdessen aber, installiert sich ein sehr teurer Dialer
und ein Virus
auf dem PC.
Da aber unzählige User auf diese Finte hereinfallen, haben wir mit
Zustimmung des Bundeskriminalamtes BKA, eine Web-Seite erstellt, wo einige dieser
äusserts brisanten Fotos und Videos einzusehen sind, um den Leuten die Neugier zu
nehmen.
Natürlich sind diese Videos und Fotos leicht zensiert worden.
Um auf diesen Web-Server zu gelangen, müssen Sie zuerst bestätigen, dass
Sie das 18 Lebensjahr bereits vollendet haben.
Wir bitten sie ausdrücklichst, keine Kinder diese Seite einsehen zu
lassen.
I.A.: Dieter BXXXXn
----- MultiMedia AG München ia. BKA (ORG. Rund-Mail V6.02)
----- Geschäftsführer: Michael LXXXXXXxn (xxxxxxx) FAX: xxxxxx
Attachment:
Server.com
or
Subject:
You Got Hacked
Body:
by me, idiot!
haha, very nice files on your system.
i've made a website. i show your files on this website hahaha
visit:
Attachment:
www.hcket-user-pcs.com
Manual Remove Instructions
- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.
Delete the following files:
* C:\%WinDir%\System32\<%var. Filename1%>.exe (54.784 Bytes)
* C:\%WinDir%\System32\<%var. Filename2%>.exe (54.784 Bytes)
* C:\%WinDir%\System32\spooler.exe (54.784 Bytes)
* C:\%WinDir%\System32\mscolmon.ocx
Start "regedit" after that and delete the following registry entries:
* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
Restart your computer.
- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.
Delete the following files:
* C:\%WinDir%\System\<%var. filename1%>.exe (54.784 Bytes)
* C:\%WinDir%\System\<%var. filename2%>.exe (54.784 Bytes)
* C:\%WinDir%\System\spooler.exe (54.784 Bytes)
* C:\%WinDir%\System\mscolmon.ocx
Start "regedit" after that and delete the following registry entries:
* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
Restart your computer.
Description insérée par Crony Walker le mardi 15 juin 2004
Retour
.
.
.
.
