W32/Sober.Y Worm

 Information about the W32/Sober.Y Worm:

W32/Sober.Y is an email worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following:

Your Password
smtp mail failed
Your IP was logged
Mail delivery failed
Registration Confirmation
You visit illegal websites
hi,_ive_a_new_mail_address
Paris_Hilton_&_Nicole_Richie
Spam: Registration Confirmation

The body of the infected mail will be any one of the following:

Account and Password Information are attached! ---

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)

Download is free until Jan, 2006!

Please use our Download manager.

Account and Password Information are attached!

***** Go to: http://www.{random}.com
***** Email: {random}.com

hey its me, my old address dont work at time. i dont know why?!

in the last days ive got some mails. i' think thaz your mails but im not sure!

plz read and check ...

cyaaaaaaa

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.

The full mail-text and header is attached

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

The infected attachment will be any one of the following;

list.zip
mail.zip
mailtext.zip
reg_pass.zip
downloadm.zip
mail_body.zip
reg_pass-data.zip
question_list.zip

Upon execution of the infected attachment, the worm displays a message box with the following message;

Error in Packed Header

The worm copies itself as services.exe in the Windows folder.

It also drops the following files in the Windows System folder.

bbvmwxxf.hml
rubezahl.rub
runstop.rst
nonrunso.ber
gdfjgthv.cvq
langeinf.lin

It modifies the Windows registry at the following locations to load itself during next startup;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files with the following extensions and collects all the available email addresses from the infected system.

pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws, vcf, ctld, htm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw, mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls, ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch, xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtmland dbx

This worm first appeared on November 21, 2005.

 Other names of W32/Sober.Y Worm: