W32/Sober.M Worm

 Information about the W32/Sober.M Worm:

W32/Sober.M is an email worm. This worm is a variant of W32/Sober.A. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Your new Password
Paris Hilton, pure!
Mail_delivery_failed
Alert! New Sober Worm!

The content of the mail will be any one of the following:

More than 50 HOT Hilton Videos
More than 3000 Hilton picks

FREE Download until April, 2005

Make your own Download Account, it's free!
Further details are attached

Thanks & have fun ;)

OR

Dear Sir/Madam,

we have logged your IP-address on more than 40 illegal Websites.

Important: Please answer our questions!
The list of questions are attached.

Yours faithfully,
M. John Stellford

++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ Washington, DC 20535
++-++ (202) 324-3000

OR

ATTENTION!

Antivirus vendors are warning of a new variant of the Sober virus discovered today that can delete the hard disk.

Protection:
Download and read the zipped patch. It's very easy to install!

Thanks for your cooperation!

--- (c)2005 Microsoft Corporation. All rights reserved
--- Microsoft Corporation
--- One Microsoft Way
--- Redmond, Washington 98052-6399

OR

This is an automatically generated Delivery Status Notification.
ESMTP Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.

The full mail-text and header is attached

OR

Thanks for your registration!
We have received your payment.

For more detailed information, read the attached text.

The name of the infected attachment will be any one of the following:

Formular.zip
Register-Info.zip
zipped-mail.zip
zipped-text.zip
PSW-Text.zip
Tool.zip

Upon execution, the worm copies itself as CSRSS.EXE, DATAMX1.DAT, SMSS.EXE, WINLOGON.EXE in the Windows msagent folder.

It also copies itself as NONRUNSO.BER, READ.ME, STOPRUNS.ZHZ in the Windows System folder.

It alters the windows registry at the following locations to load itself during next startup;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system;

.abc, .abd, .abx, .eml, .fdb, .frm, .msg, .nab, .nch, .uin, .vap, .adb, .ade, .adp, .hlp, .imb, .imh, .stm, .tbb, .txt, .vbs, .vcf, .adr, .asp, .bak, .imm, .inbox, .ini, .nfo, .nsf, .nws, .wab, .wsh, .bas, .cfg, .cgi, .jsp, .ldb, .ldif, .ods, .oft, .php, .xhtml, .cls, .cms, .csv, .log, .mbx, .mda, .pl, .pmr, .pp, .xls, .ctl, .dbx, .dhtm, .mdb, .mde, .mdw, .ppt, .pst, .rtf, .doc, .dsp, .dsw, .mdx, .mht, .mmf, .shtml, .slk, .sln, .xml.

The worm mails itself to these addresses using its own SMTP engine.

This worm first appeared on 20th February, 2005.

 Other names of W32/Sober.M Worm:

This Worm is also known as Sober.M, WORM_SOBER.K, W32.Sober.K@mm.