Virus Sober
Virus sober is a mass mailing worm.
The worm copies itself to the %system32% folder under a random name.
Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location.
By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),
or C:\Windows\System32 (Windows XP).
It creates a registry keys in order to get executed on system boot:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[generated string] = C:\WINNT\System32\[generated string].exe
The virus scans the files for email addresses and emails itself to the collected email addresses as an email attachment.
The virus drops the following files:
%System%\zmndpgwf.kxx
%System%\zhcarxxi.vvx
%System%\bcegfds.lll
%System%\syst32win.dll
%System%\winsys32xx.zzp
%System%\winhex32xx.wrm
%System%\spoofed_recips.ocx
If the system is not connected to the Internet, the virus Sober will attempt to connect using any available dial-up connections and may display the following dialog box:
Microsoft Windows
STOP: 0x80070725 {FatalSystemError}
System File [filename].exe
Connection lost or blocked by Firewall
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
