Virus Encyclopedia
I-Worm/Sober.P
This worm spreads by e-mails as a message attachment.
Installation:
When the worm is launched it creates \Status Directory in %WINDIR%\Connection Wizard\ Directory and copies itself into files with services.exe, smss.exe and csrss.exe names. It also creates helpfiles packed1.sbr, packed2.sbr and packed3.sbr in the same folder. Virus registers services.exe file in HKLM\Software\Microsoft\Windows\CurrentVersion\Run as WinStart and in HKCU\Software\Microsoft\Windows\CurrentVersion\Run as _WinStart in Windows Registry.
As side efect this dialog window is displayed when the worm is launched:
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws, vcf, ctl, dhtm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw, mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls, ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch, xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtml and dbx extension.
Message has two possible language variants - english and deutch. It depends on recipient domain:
Subject could be:
Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurde verweigert
Ich bin's, was zum lachen ;)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung
Re:
Password
Registration Confirmation
Your email was blocked
mailing error
Body:
Is randomly generated from texts inside virus body.
Attachment:
Attachment name could be as follows:
<pref>_PassWort-Info.zip
<pref>autoemail-text.zip
<pref>LOL.zip
<pref>mail_info.zip
<pref>okTicket-info.zip
<pref>Fifa_Info-Text.zip
<pref>our_secret.zip
<pref>info.zip
<pref>info-text.zip
<pref>secret.zip
where <pref> could be:
account_
error_
error-mail_
our_
Zip attachment contains Winzipped-Text_Data.txt .pif file.
Removing:
Removing is based on deleting files on which AVG reports I-Worm/Sober virus and in this case removing the reference to these files from the registry. Deleting of the files (either manually or by AVG) will have to be done after booting the Windows in the DOS mode (Windows 9x) or Safe Mode (Windows NT/2000/XP).
