W32/Sober.I@mm

W32/Sober.I@mm	Destructivity: Spreading: Overall risk:

• Detected by virus detection files published: 11/19/2004	• Type: Worm
• Virus characteristics first published: 11/19/2004	• Spreading mechanism: Email
• Virus characteristics latest update: 10/30/2007	• Overall risk: Low
• Alias: W32/Clonz.A; Trojan.Win32.VB.qa; W32/Sober.I.worm; Worm/Sober.I	• Payload:
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista

Virus type

Spreading
mechanism

Destructivity
and payload

Additional
descriptions

Detection
and removal

Email characteristics:

Subject: Variable
Body:
Variable
Attachment: Variable; either an executable file using SCR, COM, BAT or PIF extension or a ZIP file.

When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows System directory; most notably two worm files - these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup. Other files created are:

clonzips.ssc
clsobern.isc
cvqaikxt.apk
dgssxy.yoi
nonzipsr.noz
Odin-Anon.Ger
sb2run.dii
sysmms32.lla
winexerun.dal
winmprot.dal
winroot64.dal
winsend32.dal
zippedsr.piz

These are used for preliminary storage of harvested email addresses and MIME-encoded copies of the worm.

Registry keys created by the worm:

The worm uses several different key names and filenames, but an installation can look like this:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run service =\win32data.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrunexpolerx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run dirloghostx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run expoler32 =\win32data.exe

# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

VIRUSfighter

Microsoft Certified Partner

W32/Sober.I@mm