Home / malware Win32.Sober.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Sober.B@mm.
Explanation :
This virus was written in Visual Basic and packed with UPX; many of the strings in its body are encrypted.
It arrives attached to an email; the format of the email may vary; here are some possibilities:
(German version):
Subject:
Hihi, ich war auf deinem Computer
Du bist Ge-Hackt worden
Ich habe Sie Ge-hackt
Der Kannibale von Rotenburg
Attachment:
Daten-Text.pif
DateiList.pif
Server.com
(English version):
Subject:
George W. Bush plans new wars
George W. Bush wants a new war
You Got Hacked
Have you been hacked?
Attachment:
www.gwbush-new-wars.com
www.hcket-user-pcs.com
yourlist.pif
allfiles.cmd
When run, it will sometimes display the following message:
It will create one or more copies of itself in the Windows System folder (using one of multiple possible names) and a registry entry (as described in Symptoms) that will run the virus at start-up.
The virus may run multiple copies of itself that monitor each other and respawn an instance of the virus that is terminated by the user; the virus also monitors if the registry entry is deleted, and re-creates it if so.
Sometimes, if the user tries to terminate one of the instances of the virus, it will create many copies of itself with random 8-digit names and .exe extensions in the Windows System folder, and run them (each one for just a short time before running the next one).
The virus looks for email addresses in files with one of the following extensions: htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo.
It sends messages in the format described above, using its own SMTP client functions. Email addresses are put down in mscolmon.ocx in the Windows System folder.
It overwrites the start of files shared with Kazaa (and maybe other file-sharing applications too) with its body, and it may propagate using these networks.Last update 21 November 2011