Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4490 (2005-05-12) Updated DAT4633 (2005-11-21) |
Minimum Engine
5.1.00 File Length53,801 Bytes |
Description Added
2005-05-12 Description Modified2005-05-19 |
Malware Proliferation
Characteristics
This Sober variant uses its own SMTP engine to send spammed messages to email addresses found on the infected system. It can generate several different email messages randomly, in either English or German depending on the version of Windows. Some messages may contain several links inside them.
When the worm is executed it creates the following folder:
- %Windir%\Help\Help
It copies itself to the above folder as:
The following registry run keys are created to load itself at system startup.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "SystemBoot" = %Windir%\Help\Help\Services.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "SystemBoot" = %Windir%\Help\Help\Services.exe
Symptoms
File Symptoms
The following files are created:
- c:\WINDOWS\Help\Help\fastso.ber
- c:\WINDOWS\system32\adcmmmmq.hjg
- c:\WINDOWS\system32\langeinf.lin
- c:\WINDOWS\system32\nonrunso.ber
- c:\WINDOWS\system32\seppelmx.smx
- c:\WINDOWS\system32\xcvfpokd.tqa
The following files contain email related data:
- sacri1.ggg
- sacri2.ggg
- sacri3.ggg
- voner1.von
- voner2.von
- voner3.von
Method of Infection
This threat spams email messages to email addresses that are harvested from files containing the following extensions:
- pmr
- phtm
- stm
- slk
- inbox
- imb
- csv
- bak
- imh
- xhtml
- imm
- imh
- cms
- nws
- vcf
- ctl
- dhtm
- cgi
- pp
- ppt
- msg
- jsp
- oft
- vbs
- uin
- ldb
- abc
- pst
- cfg
- mdw
- mbx
- mdx
- mda
- adp
- nab
- fdb
- vap
- dsp
- ade
- sln
- dsw
- mde
- frm
- bas
- adr
- cls
- ini
- ldif
- log
- mdb
- xml
- wsh
- tbb
- abx
- abd
- adb
- pl
- rtf
- mmf
- doc
- ods
- nch
- xls
- nsf
- txt
- wab
- eml
- hlp
- mht
- nfo
- php
- asp
- shtml
- dbx
While avoiding addresses containing the following strings:
- @www
- @from.
- smtp-
- @smtp.
- ftp.
- .dial.
- .ppp.
- anyone
- @gmetref
- sql.
- someone
- nothing
- you@
- user@
- reciver@
- somebody
- secure
- whatever@
- whoever@
- anywhere
- yourname
- mustermann@
- mailer-daemon
- variabel
- noreply
- -dav
- law2
- .qmail@
- freeav
- @ca.
- abuse
- winrar
- domain.
- host.
- viren
- bitdefender
- spybot
- detection
- ewido.
- emsisoft
- linux
- @foo.
- winzip
- @example.
- bellcore.
- @arin
- @iana
- @avp
- icrosoft.
- @sophos
- @panda
- @kaspers
- free-av
- antivir
- virus
- verizon.
- @ikarus.
- @nai.
- @messagelab
- nlpmail01.
- clock
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants