Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Sober.A is a worm spreading as a file in an attachment of electronic mail messages. The compressed worm has a length of approximately 63 Kb. Its length after being decompressed is 237 Kb. It operates in Windows 95 or newer versions of Windows operating system.
Win32/Sober.A arrives with a message having subject randomly chosen from following list:
Neuer Virus im Umlauf!
Back At The Funny Farm
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so
VORSICHT!!! Neuer Mail Wurm
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr gehört!
Viurs blockiert jeden PC (Vorsicht!)
Überraschung>Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Ich Liebe Dich
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Sorry, I've become your mail
Hey man, long not see you
Viurs blocked every PC (Take care!)
Surprise,I've become your mail! Advise who I am!
New Sobig-Worm variation (please read)
I love you (I'm not a virus!)
I permanently get Spam-Mails from you and inside is a virus!!
You should remove these thing
The text of the body is chosen from number of predefined strings
in German or English language. These strings are contained in the body of the
worm a are freely visible after the file is decompressed.
The copy of the worm is attached to the e-mail message while the name of the file in the attachment is chosen from following list.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.
The worm is activated after the file in the attachment of the message is run. The window with the fake error message is displayed.
The worm creates the file with its copy in the %system% directory. This file can have different names, e.g. artiv.exe, sy-?O?T.exe or similare.exe. The length of these files is 63488 bytes. The worm assures the activation of its copy after restarting the operation system by creating an item syspath in the system registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run setting the item's value to its copy in the directory %system%.
Win32/Sober.A acquires the addresses for its spreading via e-mail from files located on the hard drive. It saves these addresses in the Media.dll file located in the subdirectory Macromed\Help in the directory %system%.
NOD32 detects the worm Win32/Sober.A using extended heuristics without upgrading. The detection of Win32/Sober.A using sample is added from version 1.542.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.