W32/Sober.D

SpamChoke Antispam
Software

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Sober.D Worm

Information about the W32/Sober.D Worm:

W32/Sober.D is a mass mailing worm. This worm infects the Windows systems and spreads through email.

The subject of the infected mail will be;

Microsoft Alert: Please Read!

The worm carries any one of the infected attachment;

Patch
sys-patch
UpDate
MS-UD
MS-Security

The extension of the infected attachment will be .zip, which contains an executable attachment .exe.

The body of the infected mail will be either in english or german language.

The body of the mail in english will be;

New MyDoom Virus Variant Detected!

A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.

+++ ©2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19

The body of the mail in german will be any one of the following;

Neue Virus-Variante W32.Mydoom verbreitet sich schnell.

Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet. Wie seine Vorganger verschickt sich der Wurm von infizierten Windows- Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner! Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.

Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schadling zu schutzen!

+++ c2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

Upon execution of the infected attachment, it displays a dialog box with a message;

"This patch has been successfully installed."

After this, the worm copies itself in the Windows System folder. The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm scans the following extensions and collects all the available email addresses from the infected system.

.xls
.wab
.txt
.tbb
.shtml
.rtf
.pl
.php
.mdb
.log
.ini
.eml
.doc
.dbx
.asp
.adb
.abd

The worm stores all the collected email addresses in a file called mslogs32.dll, in the Windows System folder. After this the worm mails itself to these addresses using its own SMTP engine.

This worm first appeared on March 8, 2004.

Other names of W32/Sober.D Worm:

This worm is also known as I-Worm.Sober.D, W32/Sober.D@mm, W32/Roca-a, Win32/Roca.A@mm

Click here to download a 30 day Evaluation Copy of
Protector Plus for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Sober.D worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software