W32/Sober.AA@mm

• Subject: Several different English or German texts
• Body:

  Several different English or German texts

• Attachment: A zip file, containing a file called "file-packed_datainfo.exe"

When executed the worm will show a bogus error message ("Error in packed Header"), and then install itself on the system. It will then search available sources for email addresses to send itself to.

Sober detects recipient country and will select English or German language depending on this.

File system changes:

Creates \WinSecurity\services.exe         (the worm itself)
Creates \WinSecurity\smss.exe             (same)
Creates \WinSecurity\csrss.exe             (same)
Creates \WinSecurity\mssock1.dli        (gathered email adresses) 
Creates \WinSecurity\mssock2.dli        (same) 
Creates \WinSecurity\mssock3.dli        (same)
Creates \WinSecurity\winmem1.ory      (same)
Creates \WinSecurity\winmem2.ory      (same)
Creates \WinSecurity\winmem3.ory      (same) 
Creates \WinSecurity\socket1.ifo           (MIME-encoded copy) 
Creates \WinSecurity\socket1.ifo           (same) 
Creates \WinSecurity\socket1.ifo           (same)
Creates \WinSecurity\starter.run            (empty file)

It will also create these empty files, which has the effect that older Sobervariants will not run:
Creates \System32\bbvmwxxf.hml    
Creates \System32\langeinf.lin
Creates \System32\nonrunso.ber
Creates \System32\rubezahl.rub
Creates \System32\filesms.fms
Creates \System32\runstop.rst

Registry changes:

Adds the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _Windows    = \WinSecurity\services.exe
Adds the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows    = \WinSecurity\services.exe