wipe-deletion-erasure-purge


Email-Worm.Win32.Sober.j

Email-Worm.Win32.Sober.j

CyberScrub AntiVirus
Research Bank

This worm spreads via the Internet as an attachment to infected messages. It sends itself to all email addresses found on the victim machine. The worm itself is a PE EXE file. It is written in Visual Basic and packed using UPX. The packed file is approximately 43 KB in size (this may vary slightly). The unpacked file is approximately 140 KB in size.

Installation

Once launched, the worm opens Windows Notepad, which will display a random selection of characters:

During installation the worm copies itself to the Windows system directory under a random name made up of words chosen from the following list:

  • 32
  • crypt
  • data
  • diag
  • dir
  • disc
  • expoler
  • host
  • log
  • run
  • service
  • smss32
  • spool
  • sys
  • win

for example: %System%\cryptdialog.exe

It then registers itself in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<random key name>" = "%System%\<name of worm file>"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<random key name>:" = "%System%\<name of worm file>"

The worm also creates several additional files in the Windows system directory under the following names:

  • %System%\datamx.dam
  • %System%\dgsfzipp.gmx
  • %System%\dgssxy.yoi
  • %System%\nonrunso.ber
  • %System%\Odin-Anon.Ger
  • %System%\read.me
  • %System%\sysmms32.lla
Propagation via email

The worm scans MS Windows address books for email addresses, and all files with the following extensions:

  • abc
  • abd
  • abx
  • adb
  • ade
  • adp
  • adr
  • asp
  • bak
  • bas
  • cfg
  • cgi
  • cls
  • cms
  • csv
  • ctl
  • dbx
  • dhtm
  • doc
  • dsp
  • dsw
  • eml
  • fdb
  • frm
  • hlp
  • imb
  • imh
  • imh
  • imm
  • inbox
  • ini
  • jsp
  • ldb
  • ldif
  • log
  • mbx
  • mda
  • mdb
  • mde
  • mdw
  • mdx
  • mht
  • mmf
  • msg
  • nab
  • nch
  • nfo
  • nsf
  • nws
  • ods
  • oft
  • php
  • pl
  • pmr
  • pp
  • ppt
  • pst
  • rtf
  • shtml
  • slk
  • sln
  • stm
  • tbb
  • txt
  • uin
  • vap
  • vbs
  • vcf
  • wab
  • wsh
  • xhtml
  • xls
  • xml

and sends itself to email addresses harvested from these files. The worm connects to the recipient's SMTP server in order to send messages.

It will not send messages to addresses which contain the following text strings:

  • .dial.
  • .kundenserver.
  • .ppp.
  • .qmail@
  • .sul.t-
  • @arin
  • @avp
  • @ca.
  • @example.
  • @foo.
  • @from.
  • @gmetref
  • @iana
  • @ikarus.
  • @kaspers
  • @messagelab
  • @nai.
  • @panda
  • @smtp.
  • @sophos
  • @www
  • abuse
  • announce
  • antivir
  • anyone
  • anywhere
  • bellcore.
  • bitdefender
  • clock
  • -dav
  • detection
  • domain.
  • emsisoft
  • ewido.
  • freeav
  • free-av
  • ftp.
  • gold-certs
  • google
  • host.
  • icrosoft.
  • info@
  • ipt.aol
  • law2
  • linux
  • mailer-daemon
  • me@
  • mozilla
  • mustermann@
  • nlpmail01.
  • noreply
  • nothing
  • ntp-
  • ntp.
  • ntp@
  • office
  • password
  • postmas
  • reciver@
  • secure
  • service
  • smtp-
  • somebody
  • someone
  • spybot
  • sql.
  • subscribe
  • support
  • t-dialin
  • test@
  • time
  • t-ipconnect
  • user@
  • variabel
  • verizon.
  • viren
  • virus
  • whatever@
  • whoever@
  • winrar
  • winzip
  • you@
  • yourname
Infected messages Message subject (chosen from the list below):
  • I've got YOUR email on my account!!
  • Ey du DOOF Nase, warum beantw...
Message body (chosen at random from those listed below):
  • Hello,
    First, Sorry for my very bad English!
    Someone send your private mails on my email account!
    I think it's an Mail-Provider or SMTP error.
    Normally, I delete such emails immediately, but in the mail-text is a
    name & adress. I think it's your name and adress.
    In the last 8 days i've got 7 mails in my mail-box, but the recipient
    are you, not me. lol
    OK, I've copied all email text in the Windows Text-Editor and i've
    zipped the text file with WinZip.
    The sender of this mails is in the text file, too.
    bye
  • Warum beantwortest Du meine E-Mails nicht?
    Kommen meine Mails nicht mehr bei dir an oder so???
    Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!
    Ich hoffe mal, das sie jetzt zu dir durch dringen wird.
    In meinen anderen Mails habe ich einige Wichtige Dinge
    niedergeschrieben, hatte aber keine Lust alles nochmal zu schreiben.
    Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit
    Winzip kleiner gemacht.
    Lesen und diesmal auch bescheid geben!!!!
    tschau.....
Attachment (chosen from the list below):
  • text.zip
  • texte.zip

Attachments will have one of the following extensions:

  • bat
  • com
  • pif
  • scr
  • zip

Check out if we have free removal tool for this virus


CyberScrub AntiVirus provides state of the art security protection for five years- at one low price. Our award winning technology ensures protection against viruses, worms and trojans backed by top customer support and value.

 
Five Year Cost Comparison
Product Initial Cost Yearly Subscription X Four Years Total
Norton 2004 AntiVirus $49.95* $29.95 $119.80 $169.75
McAfee VirusScan $49.95* $19.95 $79.80 $129.75
CyberScrub AntiVirus $49.95 Included No Additional Cost $49.95
*All prices MSRP as published on respective sites.




It is only a matter of time before a virus, worm or Trojan horse wrecks havoc on your important data. Important files, records, family pictures- all at risk. Some dangerous programs can even ruin your hard drive beyond repair.

CyberScrub AntiVirus offers the most effective protection from all known and unknown viruses.

CyberScrub AntiVirus is powered by a unique integrated technology for virus detection, based on principles of multi-generation heuristic analysis. This allows the program to protect you from suspect “viral behavior”. This highly effective methodology repelled all attacks of each “I LOVEYOU’ viral variation without any additional antivirus database updates. No other technology, including Norton, Trend, or McAfee was able to accomplish this.

CyberScrub AntiVirus is powerful, yet its exceptional ease of use and installation make it acceptable for beginner to pro



CyberScrub Antivirus constantly scans your hard drive and files to identify, clean and destroy infected objects. With updates available every three hours, 24 hours a day, 365 days a year, you can count on CyberScrub to protect your valued data.

CyberScrub AntiVirus
Lifetime Edition

"For the Life of Your Computer"

Save $10 Now!
Limited Time

 


Email-Worm.Win32.Sober.j


Symantec Warns Of Flaw In Antivirus Program. More>>

CNN Legend Lynne Russell reports on CyberScrub AntiVirus for Tech Headline News.


















 
 

delete,deletion, file deletion, Internet clean up,privacy, HIPAA, Internet privacy, cookies, erase, erasure, shredder, wipe, overwrite, purge, deletion, security, file wipe, data destruction