The best magazine
Sober.U worm
Also known as:
W32/Sober.Z.worm (Panda), W32/Sober.U@MM (McAfee), W32.Sober.R@mm (Symantec), W32/Sober.U@mm (F-Prot, Command), W32/Sober-P (Sophos), Win32.Sober.U@mm (BitDefender), I-Worm.Sober.V (VirusBuster)
Type:
Worm
Discovered:
November 14, 2005
Email characteristics:
Sober.U arrives in an email message that may be in either German or English language, depending on the recipient's domain.
The English version appears as follows:
Subject: Your email
Message body:Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient, the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....
Attachment: excel_table.zip
The German language version arrives in email as follows:
Subject:
Message body: Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
Tabelle jemand schickte mir eine Mail mit einer Excel oder Access Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber zu meiner gekommen??? Ist wohl irgendein Fehler.
Attachment: Tabelle.zip
System Impact:
If the infected executable is run, Sober.U will create the following files:
C:\Windows\hjgerhds.exe
C:\Windows\ConnectionStatus\Microsoft\services.exe
C:\Windows\System32\gdfjgthv.cvq
C:\Windows\System32\langeinf.lin
C:\Windows\System32\nonrunso.ber
C:\Windows\System32\System32\rubezahl.rub
C:\Windows\System32\System32\runstop.rst
Note: The exact name of the Windows directory and System directory may vary depending on the operating system.
Sober.U modifies the HKCU and HKLM Registry Run keys in order to load when Windows is started:
'WinCheck =C:\Windows\ConnectionStatus\Microsoft\services.exe'
Removal Notes:
Use up-to-date antivirus software to identify the worm's files. Either allow the antivirus software to delete these files, or they can be manually deleted. If opting for manual deletion, be sure to also remove the registry modifications made by the worm.
Source: ...