Home / malware Win32.Sober.D@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Sober.D@mm is also known as N/A.
Explanation :
The worm comes by mail in the following form, in German or English language:
From:
Spoofed email address using one of these names:
Info, Center, UpDate, News, Help, Studio, Alert, Patch, Security
and one of these hosts:
microsoft.com, microsoft.de, microsoft.at, microsoft.ch, microsoft.li
For instance, a spoofed email address could be: Info@microsoft.com
Subject:
Microsoft Alert: Please Read!
or
Microsoft Alarm: Bitte Lesen!
Body text 1:
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.
Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
Body text 2:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorgänger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefährlichen Trojaner!
Führende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.
Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schädling zu schützen!
Attachment:
Can be ZIP or EXE with the following names, may be followed by a few digits:
sys-patch
MS-UD
MS-Security
Security
Patch
Once executed, the worm copies itself to Windows System directory with a name built with a combination of the following words:
sys,host,dir,explorer,win,run,log,32,disc,crypt,data,diag,spool,service,smss32
Displays a message box with the following text:
This patch has been successfully installed.
or
This patch does not need to be installed on this system.
For example, if C:WindowsSystem is the Windows System directory, a worm name could be:
C:WindowsSystem
unspooldir.exe
The worm creates the following registry key so as to run each time Window starts:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun or RunOnce
with a value built using the same words above, pointing to the worm executable copied in Windows System directory.
For gathering email addresses, it search the system for files with the following extensions:
ini, log, mdb, tbb, abd, adb, pl, rtf, doc, xls, txt, wab, eml, php, asp, shtml, dbx, wab, tbb, abd, adb, pl
For sending mail, the worm uses two temporary files, that are the MIME encoding of the worm executable or zip:
%SYSTEM%wintmpx33.dat
%SYSTEM% emp32x.dataLast update 21 November 2011