Sober.r prevention and cure
Takeaway: Sober.r is a classic mass-mailing e-mail worm that spreads itself to addresses harvested from infected PCs, and it may slow down e-mail services during the height of this infection.
Aliases: CME-151; Sober.p (Computer Associates, Sophos), Sober.q (Symantec), sober.y (Panda), Sober.ac (Trend Micro).
What it does: Harvests e-mail addresses from infected machines
Means of transmission: E-mail
How to recognize: E-mail referencing password changes with a ZIP file attachment
Who is at risk: Windows users
How it works
Sober.r arrives as e-mail with a ZIP file attachment named either KlassenFoto.zip, or pword_change.zip. Buried within the ZIP is an executable file named PW_Klass.Pic.packed.bitmap.exe. Once executed, the Sober.r worm collects e-mail addresses from the infected PC and uses its own SMTP e-mail engine to send copies of itself to those addresses.
According to McAfee, Sober.r makes the following changes to the system registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run " WinINet" =C:\WINDOWS\ConnectionStatus\services.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "_WinINet"=C:\WINDOWS\ConnectionStatus\services.exe
The worm also adds the following files to the Windows folder:
c:\WINDOWS\ConnectionStatus\netslot.nst
c:\WINDOWS\ConnectionStatus\services.exe
c:\WINDOWS\ConnectionStatus\socket.dli
And Sober.r adds the following files (with 0 bytes) to the System32 folder:
c:\WINDOWS\system32\bbvmwxxf.hml
c:\WINDOWS\system32\gdfjgthv.cvq
c:\WINDOWS\system32\langeinf.lin
c:\WINDOWS\system32\nonrunso.ber
c:\WINDOWS\system32\rubezahl.rub
c:\WINDOWS\system32\seppelmx.smx
Prevention
Do not open e-mail attachments without first saving them to your hard drive and having your antivirus app scan them. Sober.r may appear to come from someone you know, but in reality that sender address may be spoofed.
Removal
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates (as Sober.p), F-Secure, McAfee, Norman, Panda (as Sober.y), Sophos (as Sober.p), Secunia, Symantec (as Sober.q), and Trend Micro (as Sober.ac).
| 10/07/05
White Papers, Webcasts, and Downloads
- Migration From Oracle 9i on Red Hat 2.1 Advanced Server to Oracle 9i on Red Hat Enterprise Linux (RHEL) 3.0 Dell The purpose of this paper is to provide a procedure for migrating a system ... Download Now
- Dell Latitude Notebooks With Embedded Broadband Wireless Networking Provide Sales Force With Mobile Access Dell Edward Don & Company is a world-class distributor of food service ... Download Now
- Move to SUSE Linux Enterprise get 3 years of Red Hat support Novell One unified management tool for both Linux and Windows allows your mixed ... Download Now
- Drive Agility & Cost Optimization - NEW SOA and BPM Announcements from IBM IBM Drive Costs Down and Profit Margins Up! Every week, businesses ... Download Now
- Email Archiving in the SMB Trend Micro Addressing Enterprise Needs with Fewer Resources A discussion of SMB ... Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
