new Virus
شباب ديروا بالكوا منه :
Name:Win32.Sober.N@mmAliases:N/AType:Executable Worm Mass Mailer Size:73541 bytes (packed)Discovered:19.04.2005Detected:19.04.2005Spreading:HighDamage:MediumIn The Wild:Unknown
Symptoms:
Presence of files services.exe,zipped.wrm,maddys.xyz in %WINDOWS%\Config\system.
Presence of registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or RunOnce with the value
"_SystemCheck" = %WINDOWS%\config\system\services.exe
Technical description:
The worm comes by mail in German or English .
The mail address of the sender is spoofed.
The subject of the mail is either FwD: Ich bin's nochmal or I've_got your EMail on my_account!.
The body is either :
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!
Ich melde mich.
Bis bald
or:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
]-f
At time, I've got over 10 mails on my account, but the recipient are you.
I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
The attached file is called either Private-Texte.zip or your_text.zip, containing a file named
mail.document.Datex-packed.exe.
To gather email addresses it searches files with the following extensions:
pmr,phtm,stm,slk,inbox,imb,csv,bak,imh,xhtml,imm,imh,cms,nws,vcf,ctl,dhtm,cgi,pp,ppt,msg,
jsp,oft,vbs,uin,ldb,abc,pst,cfg,mdw,mbx,mdx,mda,adp,nab,fdb,vap,dsp,ade,sln,dsw,mde,frm,bas,
adr,cls,ini,ldif,log,mdb,xml,wsh,tbb,abx,abd,adb,pl,rtf,mmf,doc,ods,nch,xls,nsf,txt,wab,eml,hlp,mht,
nfo,php,asp,shtml,dbx.
The worm will not send any email to an address containing the following strings:
@www,@from.,smtp-,@smtp.,ftp.,.dial.,.ppp.,anyone,@gmetref,sql.,someone,nothing,you@,user@,
reciver@,somebody,secure,whatever@,whoever@,anywhere,yourname,mustermann@,
mailer-daemon,variabel,noreply,-dav,law2,.qmail@,freeav,@ca.,abuse,winrar,domain.,host.,viren,
bitdefender,spybot,detection,ewido.,emsisoft,linux,@foo.,winzip,@example.,bellcore.,@arin,
@iana,@avp,icrosoft.,@sophos,@panda,@kaspers,free-av,antivir,virus,verizon.,@ikarus.,@nai.,
@messagelab,nlpmail01.,clock
Removal instructions:
Manual removal:
Identify and kill the process ( if active ), then remove the registry keys and files from the system.
Automatic removal: let BitDefender disinfect infected files.
Removal tool:
N/A Virus analyzed by:
Alexandru Carp,
BitDefender Virus Researcher
