Alias/esEmail-Worm.Win32.Sober.t [KAV], W32.Sober.W@mm [NAV], W32/Sober-T [Sophos], W32/Sober.s.dr [McAfee], W32/Sober.T-mm, W32/Sober.X@mm, Worm.Sober.T-6 [ClamAV], WORM_SOBER.AD [Trend] | ||||||||||||
Detection Availability
| ||||||||||||
Visible Symptoms
| ||||||||||||
Detailed AnalysisThis variant of Sober is very similar to existing variants in that it is coded using Visual Basic, and contains instructions to spread to other systems using SMTP email. Loading at Windows startup
The file "concon.www" is a simple text file generated by the virus during its scan and sweep of the infected computer for valid email addresses. Email addresses found are stored into this file, and then list is terminated by the word "Ende". During execution of the virus named "services.exe", 0 byte files are created with these file names -
If the virus process is terminated, the files remain. The virus will register itself to load at Windows startup -
The virus author specifically chose the name "services.exe" to add confusion to untrained computer users looking to manually terminate the virus by file name. By default and on every Windows computer a system file by the same name already exists and runs in memory. SMTP mass-mailing routine The virus stores email addresses found into the file "concon.www". This file is a simple text terminated by the word "Ende". The virus will construct one of two possible messages, either in German or English, depending on the target email address domain. If it is determined the address is a potentially German-reading recipient, the email is composed in German text, otherwise English. These are the two message formats -
| ||||||||||||
Recommended Action
FortiGate systems: |