Virus Encyclopedia

This worm sends spammed messages from infected computer.

Installation:
When the worm is launched it creates \Help Directory in %WINDIR%\Help\ Directory and copies itself into files with services.exe, smss.exe and csrss.exe names. It also creates several helpfiles in the same folder. Virus registers services.exe file in HKLM\Software\Microsoft\Windows\CurrentVersion\Run as SystemBoot and in HKCU\Software\Microsoft\Windows\CurrentVersion\Run as _SystemBoot in Windows Registry.

Virus also creates Spammer.ReadMe text-file in %WINDIR%\system32\ directory which contains following text:
http://i-newswire.com/pr19707.html
http://www.ebcvg.com/press.php?id=965

Ich bin immer noch kein Spammer!
Aber sollte vielleicht einer werden :)

In diesem Sinne

Spreading: e-mail
Worm sends spammed messages to e-mail addresses that are taken from files with pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws, vcf, ctl, dhtm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw, mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls, ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch, xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtml and dbx extension.

Messages are randomly generated from large amount of texts inside virus body and have two possible language variants - English and German.

Removing:
Removing is based on deleting files on which AVG reports I-Worm/Sober virus and in this case removing the reference to these files from the registry. Deleting of the files (either manually or by AVG) will have to be done after booting the Windows in the DOS mode (Windows 9x) or Safe Mode (Windows NT/2000/XP).