Home / malware Win32.Sober.N@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Sober.N@mm is also known as N/A.
Explanation :
The worm comes by mail in German or English .
The mail address of the sender is spoofed.
The subject of the mail is either FwD: Ich bin's nochmal or I've_got your EMail on my_account!.
The body is either :
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!
Ich melde mich.
Bis bald ;)
or:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
]-f
At time, I've got over 10 mails on my account, but the recipient are you.
I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
The attached file is called either Private-Texte.zip or your_text.zip, containing a file named
mail.document.Datex-packed.exe.
To gather email addresses it searches files with the following extensions:
pmr,phtm,stm,slk,inbox,imb,csv,bak,imh,xhtml,imm,imh,cms,nws,vcf,ctl,dhtm,cgi,pp,ppt,msg,
jsp,oft,vbs,uin,ldb,abc,pst,cfg,mdw,mbx,mdx,mda,adp,nab,fdb,vap,dsp,ade,sln,dsw,mde,frm,bas,
adr,cls,ini,ldif,log,mdb,xml,wsh,tbb,abx,abd,adb,pl,rtf,mmf,doc,ods,nch,xls,nsf,txt,wab,eml,hlp,mht,
nfo,php,asp,shtml,dbx.
The worm will not send any email to an address containing the following strings:
@www,@from.,smtp-,@smtp.,ftp.,.dial.,.ppp.,anyone,@gmetref,sql.,someone,nothing,you@,user@,
reciver@,somebody,secure,whatever@,whoever@,anywhere,yourname,mustermann@,
mailer-daemon,variabel,noreply,-dav,law2,.qmail@,freeav,@ca.,abuse,winrar,domain.,host.,viren,
bitdefender,spybot,detection,ewido.,emsisoft,linux,@foo.,winzip,@example.,bellcore.,@arin,
@iana,@avp,icrosoft.,@sophos,@panda,@kaspers,free-av,antivir,virus,verizon.,@ikarus.,@nai.,
@messagelab,nlpmail01.,clockLast update 21 November 2011
