HOME EMAIL LOGIN MEMBERS AREA HELP
 
|

Money

 |
Weather
 |
People & Chat
|
Entertainment
 |
Health
 |
Kids
 |
Sports
 |
Games
 |
Travel
Internet Services
Email Login
Buy Anti-Virus
Domain Registration
Web Hosting
Affiliates
Contact Us
Recommend Us
Channels
Autos
Breaking News
Celebrities
Chat
Directory
Entertainment
Free Virus Scan
Fun & Games
Home & Real Estate
Love & Personals
Men's
Money & Business
Movies
Shopping
Sports
Specials
Speed Test
Technology
The Consumers Review
Travel
Weather
Women's
More Channels
Quick Find
Air Tickets
Auto Insurance
Auto Price Quotes
Buy a House
Credit Cards
Find a Job
Loans & Mortgages
Locate a Lawyer
Lose Weight
Online Degrees
Local Traffic
Maps & Directions
Rent an Apartment
Search Engines
White Pages
Yellow Pages
More Channels
Fun
Children Cartoons
Adult Cartoons
Fun Downloads
Event Tickets
Greeting Cards
More Games
Photos
Sports Scores

 
I-Worm.Sober.U
Date: 15 November 2005
Summary Description Solution 

Summary

 

I-Worm.Sober.U is a mass-mailing worm which uses its own SMTP engine. It sends a copy of itself as an email attachment to the email addresses collected from the compromised computer.

Malware Type:

Worm

Infected File Size:

127,888 bytes

System Affected:

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Risk Rating:

Description

When I-Worm.Sober.U is executed, it does the following activities:

It displays a message with the following text:

Title: Windows
Message: Error: Text-File not complete

Creates following files at Windows and and System folders:

%Windir%\ConnectionStatus\Microsoft\services.exe
%System%\bbvmwxxf.hml (harmless)
%System%\gdfjgthv.cvq (harmless)
%System%\langeinf.lin (harmless)
%System%\nonrunso.ber (harmless)
%System%\rubezahl.rub (harmless)
%System%\runstop.rst (harmless)

Adds the following value in the registry subkeys so that it runs every time when Windows starts:

"WinCheck" = "%Windir%\ConnectionStatus\Microsoft\services.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Collects email addresses from files having following extensions:

.pmr
.phtm
.stm
.slk
.inbox
.imb
.csv
.bak
.imh
.xhtml
.imm
.imh
.cms
.nws
.vcf
.ctl
.dhtm
.cgi
.pp
.ppt
.msg
.jsp
.oft
.vbs
.uin
.ldb
.abc
.pst
.cfg
.mdw
.mbx
.mdx
.mda
.adp
.nab
.fdb
.vap
.dsp
.ade
.sln
.dsw
.mde
.frm
.bas
.adr
.cls
.ini
.ldif
.log
.mdb
.xml
.wsh
.tbb
.abx
.abd
.adb
.pl
.rtf
.mmf
.doc
.ods
.nch
.xls
.nsf
.txt
.wab
.eml
.hlp
.mht
.nfo
.php
.asp
.shtml
.dbx

Saves the collected email addresses in a file concon.www.

Sends email to the collected email addresses. The email has an attachment of a .zip file that contains a copy of the worm. The email is written in English or German.
Solution

 

1. Disable System Restore.

  • Disable System Restore under Windows Me:

Point to Start, Settings, and Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Restart your system.

  • Disable System Restore under Windows XP:

Point to Start, Control Panel, Performance and Maintenance. Double-click “System, then select the System Restore tab. Select the 'Turn off System Restore on all drives box. Click Apply. Click Yes. Restart your system.

2. Update your Anti-Virus with the latest signature pattern definitions.

3. Perform a system scan using Quick Heal Scanner.
 
|

Money

 |
Weather
 |
People & Chat
|
Entertainment
 |
Health
 |
Kids
 |
Sports
 |
Games
 |
Travel