W32 / Sober-F is a kind of e-mail "worm" that can infect e-mail addresses collected from infected systems. W32 / Sober-F - Deep Win32. Date appeared: 05/4/2004
Describe:
- During the first run, the worm creates a .txt file in the Temp folder and uses NOTEPAD.EXE to display the contents. The worm's text file begins with the following message:
"#Mail Transaction Failed
#This mail could not be converted
---------------- Damage #Mime base64 # part ----------------
& lt; random text & gt; "
- Deeply cloned into the Windows system directory as executable .exe, with the name associated from one of the following words:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, date, diag, spool, service, smss32
- To be able to automatically run when the system starts, W32 / Sober-F will generate the following values in the registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce & lt; random name & gt; = & lt; SYSTEM & gt; & lt; random file & gt; %first
HKLM Software Microsoft Windows CurrentVersion Run & lt;
- W32 / Sober-F can change the registry value at the following location to automatically run before the "exe" file is activated.
HKCRexefileshellopencommand
- W32 / Sober-F also creates the following files in the Windows system directory: & nbsp;
BCEGFDS.LLL - zero byte file
SPOOFED_RECIPS.OCX - list of harvested email addresses
SYST32WIN.DLL - list of harvested email addresses
WINHEX32XX.WRM - base64 encoded version of the worm
WINSYS32XX.ZZP - ZIP base64 encoded ZIP archive of the worm
ZHCARXXI.VVX - zero byte file
ZMNDPGWF.KXX - zero byte file
- W32 / Sober-F collects e-mail addresses from files with the following extensions: & nbsp;
WAB, TBB, ABD, ADB, PL, CTL, DHTM, CGI, PP, PPT, MSG, JSP, OFT, VBS, UIN, LDB, ABC, PST, CFG, MDW, MBX, MDX, FDB, VAP, DSP, ADE, SLN, DSW, MDE, FRM, BAS, ADR, CLS, INI, LDIF, LOG, MDB, XML, WSH, ABX, ADB, RTF, MMF, DOC, ODS, NCH, XLS , NSF, TXT, EML, HLP, MHT, NFO, PHP, ASP, SHTML, DBX
E-mail (in English and German) infected with W32 / Sober-F usually has the following characteristics: & nbsp;
Headline English
Details
Oh my God
Hi, it's me
hey you
damn
Well, surprise ?!
Info
Information
Faulty mail delivery
Mail delivery failed
Mail Error
Illegal signs in Mail-Routing
Lỗi kết nối
Invalid email in sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Bad Gateway
Warning!
Your document
Message English
I was surprised, too! :-( Who could suspect something like that?
All OK smile_image see, what i found!
hi its me i found a virus shity on my pc. check your pc, too! đi theo
steps in this article. bye
I've told you! :-) sometime I grab your passwords!
I hope you accept the result! Follow the instructions to read the message.
Hãy đọc tài liệu
Registration confirmation
Confirmation
Your Password
Your mail account
Your password was successfully changed.
Protected message is attached.
++++ Service: http: // www
++++ Mail To: User-info
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Auto Mail Delivery System 1 AzSoft_watermark_big.png AzSoft_watermark_small.png cong-nghe? p = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link .txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.tx t tmp02.html tmp03.html tmp2.html tmpdesign.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www. mailenable.com www.microsoft.com
67.28.114.32_failed_after_I_sent_the_message./Remote_host_said
: _554_delivery_error: _dd_Sorry_your_message_cannot_be_delivered
_This_account_has_been_disabled_or_discontinued _ [# 102] ._-_ mta134.mail.dcn.com
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com End of Transmission The original message is a separate attachment.
--- Web: http: // www
--- To: UserHelp
Xem tập tin phụ gia.
Bad Gateway: The message has been attached.
+++ A service of +++ http: // www . Mail: home
Thư đã bị khoá.
Database #Error - Partial message is available! - Error: llegal signs in
Mail-Routing - Mail Server: ESMTP VX32.9 Version Betha Alpha
Anybody use your accounts! For further details see the attachment.
Đã nhận được tài liệu. Lỗi sửa chữa. greets corrected_text-file
Thông điệp văn bản có thể kết thúc với những sau:
Mail- Attachment: No suspicious Virus signatures
Mail Scanner: No Virus found
Anti Virus: No Virus!
Headline German
Einzelheiten
Hallo Du!
Hallo!
Hey Du
Hi, Ich bin's
Ich bin es .-)
Verdammt
berrascht ?!
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
ltige Mail-Satzl
Fehler in E-Mail
tigung
Registrierungs-Best
tigung
Ihr neues Passwort
Ihr Passwort
Datenbank-Fehler
Warnung!
Communication German
Their war auch ein wenig Wer konnte so etwas ahnen !? Lese selbst
Alles klaro bei dir? Schau mal was Ich gefunden habe!
Meinst Du das wirklich?
Sieh mal nach den den Scheiss auch bei dir drauf hast! Ist ein terrestrial
nervender virus Mach genau das, they know im text beschrieben ist! Bye
Their habs dir doch gesagt, irgendwann schaffe ich es deine Passwrter
rauszubekommen !!!
Details entnehmen Sie bitte dem IDENTIFIER Informationen befinden
Im Anhang.
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Auto Mail Delivery System 1 AzSoft_watermark_big.png cong-nghe? p = 1 des.txt en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.AzSoft.com label: Some Text link_original .txt link.txt log.txt meta_desc.txt news.txt news.jpg testimg2.jpg testimg2.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn .txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.AzSoft.com www .mailenable.com www.microsoft.com Ihre E-Mail konnte nicht gesendet oder
empfangen werden. Bitte attach: 1 AzSoft_watermark_big.png AzSoft_watermark_small.png cong-nghe? P = 1 des.txt en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.AzSoft.com label: Some Text link_original.txt link.txt logo.txt tmp02.html tmp03.html tmp2.html tmpdes3.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.AzSoft.com www.mailenable .com www.microsoft.com End Transmission
--- Web: http: // www
--- To: User-Hilfe
Passwort und Benutzername wurde erfolgreich geen-Anhang: Keine verd chtigen Virus- Signaturen gefunden Ihre Benutzernamen und Passwriter befinden sich im Anhang dieser E-Mail ++++ Im www erreichbar unter: http: // www . ++++ E-Mail: KundenInfo
Wegen eines Datenbank- Fehlers k Wenn Sie Unregelm
igkeiten festgestellt haben, melden Sie uns umbe umgehend den Datenverlust.
Vielen Dank f +++ Ein Service von
Internet Provider Abuse: Wir haben festgestellt, dass Sie illegale Internet-
Seiten besuchen. Bitte beachten Sie folgende Liste:
Thông điệp văn bản có thể kết thúc với những sau:
Mail- Anhang: Keine verdchtigen Virus- Signaturen gefunden
Mail Scanner: Kein Virus gefunden
Anti-Virus: Es wurde kein Virus erkannt
Attachments (extension in the form of or
Webmaster, Fehler-Info, Administrator, RobotMailer, AutoMailer, Documente,
Document, KurzText, Register, Service, Info, Passwort, Kundenservice, Liste,
Schwarze-Liste, Information, text, Textdocument, anitv_text, instructions,
your_passic, messagedoc, admin, pass-message, database, help, check_this, Police.