W32/Sober.V Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Sober.V Worm

Information about the W32/Sober.V Worm:

W32/Sober.V is an email worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be either in English or German language.

The subject of the mail in English will be as follows;

Your eMail Password

The subject of the mail in German will be as follows;

BruteForceBegin

The body of the infected mail will be either in English or German language.

The body of the mail in English will be as follows;

Thanks for your registration! Your registration will not be complete until you re-confirm it. Please read the following agreement. If you accept it, click the "Accept" to complete your registration!

The body of the mail in German will be as follows;

Musste mir leider ne neue Mail-Addy machen. Meine alte wird nur noch zu gemuellt mit Spam. Habe dir auch gleich die Datei mitgeliefert die du immer haben wolltest. Ist aber ziemlich per....

Ok, man sieht sich

The infected attachment will be any one of the following;

Accept_e-Text.zip
Mail-Datei.zip

Upon execution of the infected attachment, the worm displays a message box with the following message.

Error in Outlook-Key

It drops a copy of worm as services.exe in the Windows folder.

It also drops the following files in the Windows System folder.

bbvmwxxf.hml
rubezahl.rub
runstop.rst
nonrunso.ber
gdfjgthv.cvq
langeinf.lin

It modifies the Windows registry at the following locations to load itself during next startup;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files with the following extensions and collects all the available email addresses from the infected system.

pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws, vcf, ctld, htm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw, mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls, ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch, xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtml, dbx

It saves all collected email addresses in concon.www file, which is created by this worm in the Windows folder.

This worm first appeared on November 15, 2005.

Other names of W32/Sober.V Worm:

This Worm is also known as W32/Sober.w@MM.

Download the FREE Evaluation copy of Protector Plus antivirus software

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

Special Offer Order Protector Plus Antivirus software Now and get SpamChoke Antispam Software worth $29.95 FREE!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Sober.V Worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software