Alias:W32.Sober.H@mm, Troj/Sober-H, Trojan.Ascetic.A
Type:Worm 
Size:59,747 Bytes 
Origin:unknown 
Date:06-11-2004 
Damage: 
VDF Version:6.25.00.92 
Danger:Low 
Distribution:Medium 

Distribution* Sent by SPAM emails
* Downloaded by WIN PE files

Technical DetailsWhen activated, Worm/Sober.H drops the following files in Windows system:

* bcegfds.lll
* zhcarxxi.vvx
* cvqaikxt.apk
* Odin-Anon.Ger
* mswn32sock.dats
* llsapwin32.dats

Then it copies itself in the system folder, under a random name. The name of this file is randomly composed out of the following string list:

* sys
* host
* dir
* expolrer
* win
* run
* log
* 32
* disc
* crypt
* data
* diag
* spool
* service
* smss32

In order to be activated by the next system start, the worm places the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce
%random_name%" = "%SystemDir%\%%random_name%%.exe %1"

Then, the worm tries to download the file "winhlpx32ll.exe" from a freenet account. This file is copied and run on system folder.

Worm/Sober.H has its own SMTP engine. This enables it to send emails without needing a client program. The worm searches for email addresses in all files with extensions: abc, abd, abx, adb, ade, adp, adr, asp, bak, bas, cfg, cgi, cls, cms, csv, ctl, dbx, dhtm, doc, dsp, dsw, eml, fdb, frm, hlp, imb, imh, imh, imm, inbox, ini, jsp, ldb, ldif, log, mbx, mda, mdb, mde, mdw, mdx, mht, mmf, msg, nab, nch, nfo, nsf, nws, ods, oft, php, pl, pmr, pp, ppt, pst, rtf, shtml, slk, sln, stm, tbb, txt, uin, vap, vbs, vcf, wab, wsh, xhtml, xls, xml.

The emails sent by the worm have no attachment. It sends, however, German texts with racist content.

Worm/Sober.H does not send emails to addresses containing the following strings:

* dav
* .dial.
* .kundenserver.
* .ppp.
* .qmail@
* .sul.t-
* @arin
* @avp
* @ca.
* @example.
* @foo.
* @from.
* @gmetrf
* @iana
* @ikarus.
* @kaspers
* @messagelab
* @msn
* @nai.
* @panda
* @smtp.
* @sophos
* @www
* abuse
* announce
* antivir
* anyone
* anywhere
* bellcore.
* bitdefender
* clock
* detection
* domain.
* emsisoft
* ewido.
* free-av
* freeav
* ftp.
* gold-certs
* host.
* icrosoft
* ipt.aol
* law2
* mailer-daemon
* mantec
* me@
* mozilla
* msdn.
* mustermann@
* nlpmail01.
* nothing
* reciver@
* secure
* smtp-
* somebody
* someone
* spybot
* sql.
* subscribe
* t-dialin
* t-ipconnect
* time
* user@
* variabel
* verizon.
* viren
* virus
* whatever@
* whoever@
* winrar
* winzip
* you@
* yourname
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .