W32/Sober.N@mm

• Subject: I've_got your EMail on my_account! or FwD: Ich bin's nochmal
• Body:

  Hello,
  First, Very Sorry for my bad English.
  Someone is sending your private e-mails on my address.
  It's probably an e-mail provider error!
  At time, I've got over 10 mails on my account, but the recipient are you.
  I have copied all the mail text in the windows text-editor for you & zipped then.
  Make sure, that this mails don't come in my mail-box again.

  Or

  Verdammt,,,,
  ich hatte vergessen Dir meinen Text mitzuschicken.
  Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode
  blamieren!
  Ich melde mich.
  Bis bald ;)

• Attachment: your_text.zip or Private-Texte.zip

When the worm is first executed, it copies itself to a subfolder under the Windows folder, and starts to scan text files for email addresses. These addresses are then used as both sender and recipients for later infected mails. At the same time, the worm creates a text file containing garbage text and displays this using NOTEPAD. 

Emalis sent will have German or English text depending on the recipient address.

File system changes:

Creates \config\system\zipped.wrm
Creates \config\system\maddys.xyz
Creates \config\system\services.exe
Creates mail.document.Datex-packed.txt in a TEMP folder
Creates \nonrunso.ber
Creates \langeinf.lin
Creates \adcmmmmq.hjg
Creates \xcvzpokd.tqa

Registry changes:

Creates key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _SystemCheck = \config\system\services.exe
Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run " SystemCheck" = \config\system\services.exe