What
is Sober.D Worm and How Did I Get It?
Sober.D is a variant of Sober.C that spreads
by sending itself as an email attachment using
its own SMTP engine.
Also known as: Win32.Sober.D, W32/Sober.d@MM,
WORM_SOBER.D, W32/Roca-A, I-Worm.Sober.d
When Sober.D is first run, it performs the
following actions:
- Copies itself as %System%\<random
filename>.exe.
- Creates the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
<random filename>
and adds the value:
"<random value>" =
"%System%\<random
filename>.exe"
so that the worm starts when Windows
starts.
- Adds the values:
"<random value>" =
"%System%\<random filename>.exe %1"
in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
so that the worm starts when Windows starts.
- Drops the following files:
- %System%\temp32x.data (A MIME-encoded
body of Sober.D.)
- %System%\wintmpx33.dat (A MIME-encoded
body of Sober.D, wrapped in a .zip
file format.)
- %System%\mslog32.dll (A log file that
contains a list of email addresses
collected on the infected machine.)
- %System%\Humgly.lkur (A temporary file.)
- %System%\yfjq.yqwm (A temporary file.)
- %System%\zmndpgwf.kxx (A temporary
file.)
- Displays the following messages:
- This patch has been successfully
installed.
- This patch does not need to be installed
on this system.
- Microsoft Windows
STOP: 0x80070725 {FatalSystemError}
System File [filename].exe
Connection lost or blocked by Firewall
- Enumerates all the fixed drives in the
computer and scans the files with the
following extensions for email addresses:
- .abd
- .adb
- .asp
- .dbx
- .doc
- .eml
- .ini
- .log
- .mdb
- .php
- .pl
- .rtf
- .shtml
- .tbb
- .ttt
- .txt
- .wab
- .xls
The collected email addresses are stored
in the file %system%\mslog32.dll.
- Emails itself to the emails addresses
collected above.
The email message has the following
characteristics:
From: <random sender>@microsoft<random
country>
The <random sender> in the
spoofed sender's email address is randomly
picked up from the following list:
- Info
- Center
- UpDate
- News
- Help
- Studio
- Alert
- Patch
- Security
The <random country> string
is selected from the following list:
- .de
- .at
- .com
Subject: (One of the following )
- Microsoft Alert: Please Read!
Message-ID: <[random characters].qmail@microsoft.com>
- Microsoft Alarm: Bitte Lesen!
Message-ID: <[random characters].qmail@microsoft.com>
Body: (One of the following)
- Variant #1 (English):
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom
(W32.Novarg) worm spread rapidly through
the Internet.
Anti-virus vendor Central Command claims
that 1 in 45 e-mails contains the MyDoom
virus.
The worm also has a backdoor Trojan
capability.
By default, the Trojan component listens
on port 13468.
Protection:
Please download this digitally signed
attachment.
This Update includes the functionality of
previously released patches.
+++ ©2004 Microsoft Corporation.
All rights reserved.
+++ One Microsoft Way, Redmond,
Washington 98052
+++ Restricted Rights at 48 CFR
52.227-19
- Variant #2 (German Variant):
Neue Virus-Variante W32.Mydoom
verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich
derzeit rasend schnell im Internet.
Wie seine Vorgänger verschickt sich der
Wurm von infizierten Windows-Rechnern per
E-Mail an weitere Adressen.
Zudem installiert er auf infizierten
Systemen einen gefährlichen Trojaner!
Führende Virenspezialisten melden bereis
ein vermehrtes Aufkommen des W32.Mydoom
alias W32.Novarg.
Bitte daten Sie Ihr System mit dem Patch
ab, um sich vor diesem Schädling zu schützen!
+++ ©2004 Microsoft Corporation.
Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH,
Konrad-Zuse-Strasse
+++ 85716 Unterschleissheim, HRB
70438, DE 129 415 943
Attachment: <random
name><random digits><random
extension>
where the <random name> is randomly
selected from the following list:
- Patch
- MS-Security
- MS-UD
- UpDate
- sys-patch
- MS-Q
and the <random extension> is either
a .zip or .exe extension.
- The worm skips the email addresses that
contain the following substrings, which are
hard-coded into the body of the worm:
- @arin
- @avp
- @foo.
- @iana
- @ikarus.
- @kaspers
- @messagelab
- @msn.
- @nai.
- @ntp.
- @panda
- @sophos
- abuse
- admin
- antivir
- bitdefender
- clock
- detection
- domain.
- emsisoft
- ewido.
- free-av
- google
- host.
- hotmail
- info@
- linux
- microsoft.
- mozilla
- ntp-
- ntp@
- office
- password
- postmas
- redaktion
- service
- spybot
- support
- symant
- t-online
- time
- variabel
- verizon.
- viren
- virus
- winrar
- winzip
How
to Remove Sober.D Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Sober.D during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Sober.D worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Updating the Virus Definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Identifying the Malware Program
To remove this malware, first identify the
malware program.
- Scan your system with your Kaspersky antivirus product.
- NOTE all files detected as SOBER.D.
4. Terminating the Malware Program
This procedure terminates the running malware
process from memory. You will need the name(s) of
the file(s) detected earlier.
- Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
- In the list of running programs*, locate the
malware file or files detected earlier.
- Select one of the detected files, then press
either the End Task or the End Process button,
depending on the version of Windows on your
system.
- Do the same for all detected malware files
in the list of running processes.
- To check if the malware process has been
terminated, close Task Manager, and then open
it again.
- Close Task Manager.
5. Removing Autostart Entries from the
Registry
Removing autostart entries from registry
prevents the malware from executing during
startup. This is also an effective way to
terminate its process. In this procedure, you
will need the name/s of the file/s detected
earlier.
- Open Registry Editor. Click Start>Run,
type Regedit then hit Enter.
- In the left panel, double click the
following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
- In the right panel, locate and delete the
entry or entries whose data value is the
malware path and file name of the file/s
detected earlier.
- Close Registry Editor.
6. Run a full system scan and delete all the
files detected as Sober.D.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
Sober.D,
click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Worms - 'S':
| 
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)