|
Description:
As of May 15, 2005 (PDT/GMT -7:00), Trend Micro has received several infection reports of this new SOBER variant spreading in Germany and India.
To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Description
This worm is downloaded and executed by WORM_SOBER.S from specific Web sites.
It uses its own SMTP (Simple Mail Transfer Protocol) engine to send messages to all email addresses it obtains from files with certain extensions. However, it avoids sending messages to email addresses that contain particular strings.
The email has varying subjects. Below are screenshots of the email that it sends out:
It also attempts to download a single file from the following addresses starting May 23, 2005 or later:
- home.a{BLOCKED}.de/bergershomepage/test.exe
- home.a{BLOCKED}.de/kygsjsoslgvs/vrhrr.exe
- home.a{BLOCKED}.de/oniyqbcdfru/rarvw.exe
- home.a{BLOCKED}.de/toxgfssncdc/xcmek.mxmf
- home.a{BLOCKED}.de/upwsjzuabi/nmk.exe
- home.p{BLOCKED}.at/ljtoloonco/nqalz.ozces
- people.f{BLOCKED}.de/bkqbrjvjzp/jmqj.mky
- people.f{BLOCKED}.de/maajrjzjm/rnd.isj
- people.f{BLOCKED}.de/nmpxepczpuhh/kamz.exe
- people.f{BLOCKED}.de/nsnsrnd/rreil.exe
- people.f{BLOCKED}.de/vfbhzywob/ayg.aff
- people.f{BLOCKED}.de/xnkbthmpn/fccid.ahmu
- scifi.p{BLOCKED}.at/ubcupzqfc/bbuxc.exe
After downloading, it executes the downloaded file. As of this writing, the said files from the sites mentioned are unavailable.
For additional information about this threat, see:
Solution
Technical Details
Statistics
Description created: May. 15, 2005 8:26:45 AM GMT -0800
Description updated: May. 25, 2005 6:25:14 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
