Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


a² Malware-Info: Worm.Win32.Sober.I

  • Please log in to reply
2 replies to this topic

#1 Scarlett


    Bleeping Diva

  • Members
  • 7,479 posts
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:33 PM

Posted 20 November 2004 - 01:56 PM

Alert from a²

Sober.I can be detected and removed with a² Free and a² Personal with the latest
signature updates. The latest versiona² Personal background guard will block the
worm if it is started. Please run the a² Online-Update immediately and ensure
that the new automatic update feature in a² Personal is enabled.

Presence of files winsend32.dal,winroot64.dal,cvqaikxt.apk,sysmms32.lla,dgssxy.yoi,zippedsr.piz,nonzipsr.noz,
winexerun.dal, winmprot.dal,clonzips.ssc,clsobern.isc,sb2run.dii in %SYSDIR%.
Presence of registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or RunOnce with a value created with the following words:
sys,host,dir,expoler,win,run,log,32,disc,crypt,data,diag,spool,service,smss32 pointing to a file in the Windows directory created
with the same rules. For example:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host = c:\winnt\system32\disclogexpoler.exe

Technical description:
The worm comes by mail in German or English language.
The mail address of the sender is spoofed.

The message body is generated from various templates, using information about the targeted user (such as the domain name).These templates contain the following strings (though the final mail may contain more text):

I was surprised, too!
Who_could_suspect_something_like_that? bleepyiiiii
Your password was changed successfully!
Protected message is attached!
This mail was generated automatically.
Diese Information ist geschützt durch ein Passwort!
Diese E-Mail wurde automatisch generiert.
Da Sie uns Ihre Persönlichen Daten zugesandt haben, ist das Passwort Ihr Geburts- Datum.
Viel Vergnügen mit unserem Angebot!
Folgende Fehler wurden aufgezeichnet:
Aus Datenschutzrechtlichen Gründen, darf die vollständige E-Mail incl. Daten nur angehängt werden.
Wir bitten Sie, dieses zu berücksichtigen.
Vielen Dank für Ihr Verständnis.
Ihre geänderten Account Daten, befinden Sie im beigefügten Dokument.
Weitere Informationen befinden sich im Anhang dieser Mail

The subject may be one of:
Info von :
Mailzustellung fehlgeschlagen:
Fehler in E-Mail:
Ihre E-Mail wurde verweigert:
Mailer Error:
Ungültige Zeichen in Ihrer E-Mail:
Mail- Verbindung wurde abgebrochen:
Betr.- Ihr Account:
Ihre neuen Account-Daten:
Oh God it's
Registration confirmation
Your Password
Your mail password
Faulty_mail delivery
Mail delivery_failed
Mail Error
illegal signs in your mail
invalid mail
mail delivery system

The mail may also contain strings that state that the message has been scaned and was found clean:
Attachment: No Virus found
Mail_Scanner: No Virus
Anti_Virus: No Virus was found
Attachment-Scanner: NO VIRUS
Anti_Virus: Es wurde kein Virus gefunden

The attachment is either a ZIP archive or a SCR,BAT,COM or PIF file with the name one of composed of one of
daten,KDE_Info,system-,data_info etc., possibly with a random number appended to it. Also, the file may have an document
extension ( such as XML,TXT,EML ) followed by spaces, followed by the real extension.

Once executed, the worm copies itself to the Windows System32 directory with a name built with a combination of the following words:
sys,host,dir,expoler,win,run,log,32,disc,crypt,data,diag,spool,service,smss32 , such as disclogexpoler.exe.

The worm creates registry entries so that it will be run at Windows startup. (such as Software\Microsoft\Windows\CurrentVersion\RunOnce and Run).

To gather email addresses it searches files with the following extensions:
txt,wab,eml,hlp,mht,nfo,php,asp,shtml,dbx .

Source: BitDefender Virusinfo

Sober.I Worm

Spreading: Medium

Last a² Update:

11/19/2004 1:47 PM
Version: 1.5.0

Number of Signatures:
Trojans 22332
Dialer 3449
Worms 1631
Spyware 402

a² Forum
a² Knowledgebase
a² Newsletter
a² Online-Check

- Spyware.Win32.18..
- Spyware.Win32.Cy..
- Trojan.Win32.Kil..
- Spyware.Win32.Ga..
- Dialer
- Spyware.Win32.Ne..
- Spyware.Win32.Be..
- Spyware.Win32.Bi..
- Spyware.Win32.To..
- Spyware.Win32.Bi..

Detail statistics

The awarded German Dialer protection tool YAW will be included in the next version of a² to ensure best Dialer protection.

a² Personal is the successor of the trojan-scanner products "Anti-Trojan 5.5" and "ANTS 2.1".

© 2003-2004 Emsi Software GmbH - 11/20/2004

Edited by scarlett, 20 November 2004 - 02:00 PM.

Posted Image

BC AdBot (Login to Remove)


#2 Pandy



  • Members
  • 9,559 posts
  • Gender:Female
  • Local time:02:33 PM

Posted 20 November 2004 - 02:08 PM

WOW {{Scarlett}}.. thanks so much. I use A squared. I will keep an eye out for those types of files. Better get my update lol.

Edited by Pandy, 20 November 2004 - 02:09 PM.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?


Follow us on Twitter

#3 Scarlett


    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:33 PM

Posted 22 November 2004 - 09:36 AM

YVW Pandy We just can't be to careful, can we?
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users