Alias:W32.Sober.E
Type:Worm 
Size:30,720 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionIt searches for email addresses on all local drives, in files of type:
.abd .abx .adb .asp .dbx .doc .eml .ini .log .mdb .php .pl .rtf .shtml .tbb .ttt .txt .wab .xls.
The collected email addresses are saved in %Systemdir%\WinRun32.dll. Then the worm is sent to these addresses. The email contains:

From:
aRuder
g.rulers
S.Serger
Dude-X777
Nicole.Pam
R.Summer
T.Welder
Susan.Ewing
E.Ruders
Blond.Sybil
Michelle.Horn
Sabine.S-1977
E.Juller
Pamela-S
J.Moders
Regina-1978
BMueller4
Elsbeth.Sinker
Thomas.Schmahler
Nikki.1978
D.Rotter
Patricia.1979
Patty.Geldorf
H.Molma
Birgit.Muse
Peter.Selders
Johanna.1980
Nicole.Gellert
R.Niere
P.Schulz1
Kalif.Rent
Herbert.Weed
FParker
Samatha.Kelis
Kate.Lee
Bibi.Besen
Julia.Witt1
Alexander.Bendher
Rosemarie.Hetter
A.Rebert
Elke.Duerr
D.Winter1
Angelika.Neum
A.Kempen
KevinEder
Susan.Leet
Friedhelm.alt
Seth.Liveima
Eileen.Leen
D.Augustam
B.Kaine
MikeLord
Kathe.Meet
Marie.Dreher
Tom.Schon
Lisa.Redfield
P.Schulz1
C.Poller
Ulrike.Falkner
b.sieber006
Jundel
A.Mack1
R.Kleinmaurer
S.Loltke

followed by:
@gmx.net
@gmx.de.

Subject:
Hi
hi
Hi :-)
Ok ;-)
OK OK
OK Ok OK!
Hey!
Thx !!!

followed by:
.qmail

Body:
;-)
ha!
HA :-)
yo!
lol
LoL
LOL
Yo!

Attachment:
Text.zip
Text.pif
Read.zip
Read.pif
Graphic-doc.zip
Graphic-doc.pif
document.zip
document.pif
Word.zip
Word.pif

The worm skips the email addresses containing:
arcor
bigfoot
hotmail
online
web
yahoo

Technical DetailsWhen activated, Worm/Sober.E copies itself as %Systemdir%\%random filename%.exe. The random name is formed out of the following strings:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

It makes the following autostart registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce "%random entry%"="%Systemdir%\%random filename%.exe%1"

It creates the following files:
%Systemdir%\msWord.wrd
%Systemdir%\MsHelp32.dat
%Systemdir%\WinRun32.dll (a logfile, containing the list of collected email addresses)
%Systemdir%\bcegfds.lll
%Systemdir%\zmndpgwf.kx

The worm starts Microsoft PaintBrush or displays a message:
"Graphic Modul not found".

If the system is not connected to the Internet, the Threat tries to spread using all available Dial-Up connections and eventually displays a message:
"Microsoft Windows STOP: 0x80070725 {FatalSystemError}
System File [filename].exe
Connection lost or blocked by Firewall"

The worm contacts one of the following Network Time Protocol (NTP) server through TCP port 37, for establishing the date:
Rolex.PeachNet.edu
ntps1-1.cs.tu-berlin.de
ntp2.fau.de
ptbtime2.ptb.de
time.nrc.ca
ntp.metas.ch
ntps1-0.cs.tu-berlin.de
ntp0.fau.de
timelord.uregina.ca
ntp-1.ece.cmu.edu
ptbtime1.ptb.de
time.ien.it
ntp3.fau.de
time.chu.nrc.ca
clock.psu.edu
ntp1.fau.de

If the date is past March, 24th, 2004, the worm downloads the file %Windir%\ndhaqqth.exe from one of the following websites, through TCP port 80:
home.arcor.de
people.freenet.de
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .