Proactive IT Security
 

W32/Sober.I@mm

Threat risk

Threat risk low
Detection files published:
19 Nov 2004
Description created:
2004-11-19
Description updated:
2004-11-19
Malware type:
Worm
Alias:
W32/Clonz.A; Trojan.Win32.VB.qa; W32/Sober.I.worm; Worm/Sober.I
Spreading mechanism
Email
Payload:

Summary

This is a new email worm, email executable file size 56808 bytes long. Dropped executable files will be 46056 bytes lo

Spreading description

Email characteristics:

Subject: Variable
Body:

Variable


Attachment: Variable; either an executable file using SCR, COM, BAT or PIF extension or a ZIP file.

When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows System directory; most notably two worm files - these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup. Other files created are:

clonzips.ssc
clsobern.isc
cvqaikxt.apk
dgssxy.yoi
nonzipsr.noz
Odin-Anon.Ger
sb2run.dii
sysmms32.lla
winexerun.dal
winmprot.dal
winroot64.dal
winsend32.dal
zippedsr.piz

These are used for preliminary storage of harvested email addresses and MIME-encoded copies of the worm.

Registry keys created by the worm:

The worm uses several different key names and filenames, but an installation can look like this:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run service =\win32data.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrunexpolerx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run dirloghostx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run expoler32 =\win32data.exe

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page