W32/Sober.R@mm

• Subject: Your new Password
• Body:

  Your password was successfully changed!

  Please see the attached file for detailed information.

• Attachment: pword_change.zip

When executed the worm will show a bogus error message ("CRC Header must be $7ff8"), and then install itself on the system. It will then search available sources for email addresses to send itself to.

Sober detects recipient country and will select English or German language depending on this. English text is shown here.

File system changes:

Creates <WINDOWS>\ConnectionStatus\services.exe        (the worm itself)
Creates <WINDOWS>\ConnectionStatus\netslot.nst            (MIME-encoded copy)
Creates <WINDOWS>\ConnectionStatus\socket.dli              (gathered email adresses) 

It will also create these empty files, which has the effect that older Sobervariants will not run:
Creates <WINDOWS>\System32\bbvmwxxf.hml    
Creates <WINDOWS>\System32\gdfjgthv.cvq
Creates <WINDOWS>\System32\bbvmwxxf.hml
Creates <WINDOWS>\System32\langeinf.lin
Creates <WINDOWS>\System32\nonrunso.ber
Creates <WINDOWS>\System32\rubezahl.rub
Creates <WINDOWS>\System32\seppelmx.smx

Registry changes:

Adds the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _WinINet    = <WINDOWS>\ConnectionStatus\services.exe
Adds the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run WinINet    = <WINDOWS>\ConnectionStatus\services.exe

Files types searched for emailaddresses: