Home / malwarePDF  

Win32.Sober.Y@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Sober.Y@mm.

Explanation :

The worm comes as a ZIP archive in the infected email, containing an executable of 140064 bytes. Once executed, a fake error message is shown in order to make the user believe the file is damaged, and nothing happend with the executed file. The error message looks like this:


Actually, the worm starts its job by dropping a file named services.exe in %WINDIR%ConnectionStatusMicrosoft folder. Another file located in the same directory will be used to collect email addresses found on the infected computer. The following file types are parsed in order to find email addresses:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbxThe worm uses the registry entries specified above in order to assure that it will be executed at every Windows startup.

Infected email details (one of the following):

SUBJECT: Your eMail Password BODY: Thanks for your registration! Your registration will not be complete until you re-confirm it. Please read the following agreement. If you accept it, click the "accept" to complete your registration! ATTACHMENT: Accept_e-Text.zip
or:

SUBJECT: Wichtig: Meine neue Mail Addresse!
BODY: hi du,,, ike bin et

Musste mir leider ne neue Mail-Addy machen. Meine alte wird nur noch zu gemuellt mit Spam.
Habe dir auch gleich die Datei mitgeliefert die du immer haben wolltest. Ist aber ziemlich per....
Ok, man sieht sich

ATTACHMENT: Mail-Datei.zip

The attachments contain an executable file named accept_emailTextData.exe, that looks like this:


It uses a predefined list of people names and mail account usernames to build spoofed email addresses that will be used as Sender in the infected emails.

Last update 21 November 2011

 

TOP