wipe-deletion-erasure-purge


Email-Worm.Win32.Sober.p

Email-Worm.Win32.Sober.p

CyberScrub AntiVirus
Research Bank

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer.

The worm itself is a Windows PE EXE file, written in Visual Basic and packed using UPX. The packed file is approximately 53KB in size, and the unpacked file is approximately 185KB in size.

Installation

Once launched, the worm displays the following error message:

When installing, the worm copies itself to the following directories under the names listed below:

%Windir%\Connection Wizard\Status\csrss.exe 
%Windir%\Connection Wizard\Status\services.exe 
%Windir%\Connection Wizard\Status\smss.exe

It also creates copies of itself in base 64 encoding:

%Windir%\Connection Wizard\Status\packed1.sbr 
%Windir%\Connection Wizard\Status\packed2.sbr 
%Windir%\Connection Wizard\Status\packed3.sbr

It creates the following files, which are used to store email messages harvested from the victim machine:

%Windir%\Connection Wizard\Status\sacri1.ggg 
%Windir%\Connection Wizard\Status\sacri2.ggg 
%Windir%\Connection Wizard\Status\sacri3.ggg 
%Windir%\Connection Wizard\Status\voner1.von 
%Windir%\Connection Wizard\Status\voner2.von 
%Windir%\Connection Wizard\Status\voner3.von

It also creates the following files:

%Windir%\Connection Wizard\Status\fastso.ber 
%System%\adcmmmmq.hjg 
%System%\langeinf.lin 
%System%\nonrunso.ber 
%System%\seppelmx.smx 
%System%\xcvfpokd.tqa

The worm then alters the system registry to ensure that a copy of the worm is launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WinStart" = "%Windows%\Connection Wizard\Status\services.exe" 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"_WinStart" = "%Windows%\Connection Wizard\Status\services.exe"
Propagation via email

The worm harvests email addresses from the Windows address books and from files with the following extensions:

abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml

It then sends itself to the email addresses harvested by establishing a direct connection to the recipient's SMTP server.

The worm does not send messages to addresses which contain the following text strings:

.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google
host.
iana-
icrosoft.
info@
ipt.aol
law2
linux
mailer-daemon
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
reciver@
secure
smtp-
somebody
someone
spybot
sql.
subscribe
support
t-dialin
test@
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname
#NAME?
Infected messages

The worm sends infected messages with an attached zip archive. The attachment contains the worm's executable file. Messages are either in English or German.

Message header (chosen at random from the list below): 


  • FwD: Glueckwunsch: Ihr WM Ticket

  • FwD: Ich bin's, was zum lachen ;)

  • FwD: Ihr Passwort

  • FwD: Ihre E-Mail wurde verweigert

  • FwD: WM Ticket Verlosung

  • FwD: WM-Ticket-Auslosung

  • Re: mailing error

  • Re: Registration Confirmation

  • Re: Your email was blocked

  • Re: Your Password
    • Message body (chosen at random from the list below): 
    

  • Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
http:/ /www.[random domain]
*-* MailTo: PasswordHelp


  • Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http:/ /www.[random domain]
Folgende Fehler sind aufgetreten:
Fehler konnte nicht Explicit ermittelt werden
Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten
gezippt & angehaengt werden.
Wir bitten Sie, dieses zu beruecksichtigen.
Auto ReMailer#


  • Nun sieh dir das mal an
Was ein Ferkel ....


  • Herzlichen Glueckwunsch,
beim Run auf die begehrten Tickets fr die 64 Spiele der Weltmeisterschaft 2006
in Deutschland sind Sie
dabei.Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

St. Rainer Gellhaus
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de


  • Account and Password Information are attached!
Visit: http:/ /www.[random domain]


  • This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
    • Signature (chosen at random from the list below): 
    

  • AntiVirus:  Kein Virus gefunden 

  • AntiVirus: No Virus found 

  • AntiVirus-System:  Kein Virus erkannt 

  • Attachment-Scanner: Status OK 

  • Mail-Scanner:  Es wurde kein Virus festgestellt 

  • Server-AntiVirus: No Virus (Clean) http://www.[random domain]

  • WebSite:  http:/ /www.[random domain]
    • Attachment name (chosen at random from the list below): 
    

  • _PassWort-Info.zip 

  • account_info.zip 

  • account_info-text.zip

  • autoemail-text.zip 

  • error-mail_info.zip 

  • Fifa_Info-Text.zip

  • free_PassWort-Info.zip

  • LOL.zip

  • mail_info.zip

  • okTicket-info.zip

  • our_secret.zip

    • Check out if we have free removal tool for this virus


    CyberScrub AntiVirus provides state of the art security protection for five years- at one low price. Our award winning technology ensures protection against viruses, worms and trojans backed by top customer support and value.
     
    Five Year Cost Comparison
    Product Initial Cost Yearly Subscription X Four Years Total
    Norton 2004 AntiVirus $49.95* $29.95 $119.80 $169.75
    McAfee VirusScan $49.95* $19.95 $79.80 $129.75
    CyberScrub AntiVirus $49.95 Included No Additional Cost $49.95
    *All prices MSRP as published on respective sites.



    It is only a matter of time before a virus, worm or Trojan horse wrecks havoc on your important data. Important files, records, family pictures- all at risk. Some dangerous programs can even ruin your hard drive beyond repair.

    CyberScrub AntiVirus offers the most effective protection from all known and unknown viruses.

    CyberScrub AntiVirus is powered by a unique integrated technology for virus detection, based on principles of multi-generation heuristic analysis. This allows the program to protect you from suspect “viral behavior”. This highly effective methodology repelled all attacks of each “I LOVEYOU’ viral variation without any additional antivirus database updates. No other technology, including Norton, Trend, or McAfee was able to accomplish this.

    CyberScrub AntiVirus is powerful, yet its exceptional ease of use and installation make it acceptable for beginner to pro


    CyberScrub Antivirus constantly scans your hard drive and files to identify, clean and destroy infected objects. With updates available every three hours, 24 hours a day, 365 days a year, you can count on CyberScrub to protect your valued data.

    CyberScrub AntiVirus
    Lifetime Edition

    "For the Life of Your Computer"
    Save $10 Now!
    Limited Time

     

    Email-Worm.Win32.Sober.p

    Symantec Warns Of Flaw In Antivirus Program. More>>

    CNN Legend Lynne Russell reports on CyberScrub AntiVirus for Tech Headline News.


















     
     

    delete,deletion, file deletion, Internet clean up,privacy, HIPAA, Internet privacy, cookies, erase, erasure, shredder, wipe, overwrite, purge, deletion, security, file wipe, data destruction