Win32:Sober-A

Win32:Sober-A

is an email worm written in Visual Basic and packed with the modified version of UPX packer. The infected message could contain one of many different subject lines either in English or German language.

Some of the messages pretend to be the an update from an anti-virus company.

Win32:Sober-A contains its own SMTP routine for sending the e-mails. The recipient addresess are harvested from different files on the local machine. The worm installs itself into the system directory on the infected machine under the name SIMILARE.EXE. Two other copies of the worm are stored on the local disk as well. This worm has a special mechanism which is responsible for the keeping the worm active in the memory: it has two processes running and when one of them is terminated, the other one will restart it very quickly.

Win32:Sober-A adds a filename to the following registry entry so that the worm runs when you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

It also creates the following file in the Windows system folder:
Macromed\Help\Media.dll

This file contains e-mail addresses collected from the system.

Removal:
To remove this virus please use free avast! Virus Cleaner.

avast! with VPS file dated on or after 27th October 2003 is able to detect this worm.

Refer: Avast



Copyright © 2004-2004 All rights reserved.
Valid HTML 4.01! Click here to validate current page. Best viewed with ANY browser! Valid CSS! Click here to validate current CSS.