W32.SOBER.AA@MM
SPREADING IN THE WILD
Virus Name : W32.Sober.AA@mm
Alias : I-Worm.Sober.AA,
W32/Sober.AA@mm, W32/Sober-AD, WORM_SOBER.AA,
Sober.AA
Virus type : Internet
worm
Threat
level : Medium
Virus
details :
Sober.AA is
a mass mailing worm uses e-mail addresses
collected from the system to distribute infected
mails. The worm uses its own SMTP engine to
spread. The infected mail will be in English or
German.
The
infected mail subject in English
will be one of the following
Error
in your eMail
Your Updated Password!
The
infected mail subject in German
will be one of the following
Ihr
Passwort wurde geaendert!
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet
The
infected mail Attachment name in English
will be one of the following
Passw_Data.zip
Mail_Data.zip
The
infected mail Attachment name in German will
be one of the following
PDaten.zip
Anleitung.zip
The
infected mail message body in English
will be one of the following
You
notified us that you have forgotten your
password.We have changed your password to a
random sequence of letters and digits! For more
detailed information, see the attached password
file ...
Your eMail has occurred an unknown error on our
Server.Please read your mail and check the
text.The full email is attached!
The
infected mail message body in German
will be one of the following
Ihr Passwort wurde erfolgreich geaendert.Ihre
neuen Account-Daten und Passwort befinden sich
gesichert im Anhang!
Diese Nachricht wurde Automatisch generiert. -
Ihre EMail konnte nicht empfangen oder gesendet
werden.
Danke das Sie sich fuer uns entschieden haben.Um
ihren neuen Account zu aktivieren, folgen sie der
kurzen Anleitung im Anhang. Es sind nur 2
Schritte noetig!
When the infected e-mail
attachment is executed, it displays a fake error
message "WinZip Header is missing!"
with title "WinZip Self-Extractor"
and copies to %WINDOWS%\PoolData\services.exe. It
also drops SMSS.EXE, CSRSS.EXE, and data files in
the infected system.Then it modifies the registry
to load automatically on next startup. The
registry key modification is given below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
=
"WinData"="%WINDOWS%\PoolData\services.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
=
"_WinData"="%WINDOWS%\PoolData\services.exe"
Sober.AA worm collects
e-mail address from the following files
.abc
.abd
.abx
.adb
.ade
.adp
.adr
.asp
.bak
.bas
.cfg
.cgi
.cls
.cms
.csv
.ctl
.dbx
.dhtm
.doc
.dsp
.dsw
.eml
.fdb
.frm
.hlp
.imb
.imh
.imh
.imm
.inbox
.ini
.jsp
.ldb
.ldif
.log
.mbx
.mda
.mdb
.mde
.mdw
.mdx
.mht
.mmf
.msg
.nab
.nch
.nfo
.nsf
.nws
.ods
.oft
.php
.phtm
.pl
.pmr
.pp
.ppt
.pst
.rtf
.shtml
.slk
.sln
.stm
.tbb
.txt
.uin
.vap
.vbs
.vcf
.wab
.wsh
.xhtml
.xls
.xml
This worm is also known
as I-Worm.Sober.AA, W32/Sober.AA@mm,
W32/Sober-AD, WORM_SOBER.AA, or Sober.AA.
Sober.AA variant appeared on 1st May 2007.
How can I protect my
system?
Solo has incorporated W32.Sober.AA@mm in its signature file to
protect users from this worm attack. Solo
antivirus registered users are already protected
from this worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
How
to remove this worm?
If
you are already infected with this worm, you can
remove it from your computer using Solo Antivirus
software. Solo antivirus can detect and
remove W32.Sober.AA@mm safely. Use the
following link to Download 30 day trial
version of Solo antivirus
to
remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VBS, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
You can
purchase Solo antivirus using the link 
|
