Sober.R worm

Sober.R wormCME-151, W32/Sober.Y.worm (Panda), W32/Sober.r@MM (McAfee), W32.Sober.Q@mm (Symantec), W32/Sober.R@mm (F-Prot, Command), W32/Sober-O (Sophos), Win32.Sober.S@mm (BitDefender), I-Worm.Sober.U (VirusBuster)WormOctober 05, 2005Sober.R arrives in an email message that may be in either German or English language, depending on the recipient's domain. The Sober.R email carries an attachment with one of the following names:

KlassenFoto.zip
pword_change.zip
screen_photo.zip
privat-photo.zip

The zip file contains an executable named either 'PW_Klass.Pic.packed-bitmap.exe' or 'Screen_Photo.jpeg-graphic1.exe'.

If the infected executable is run, Sober.R will create the following files:

%windir%\ConnectionStatus\netslot.nst
%windir%\ConnectionStatus\services.exe
%windir%\ConnectionStatus\socket.dli
%windir%\system32\bbvmwxxf.hml
%windir%\system32\gdfjgthv.cvq
%windir%\system32\langeinf.lin
%windir%\system32\nonrunso.ber
%windir%\system32\rubezahl.rub
%windir%\system32\seppelmx.smx

Note: %windir% signifies the location of the Windows directory, the exact name of which may vary depending on the operating system.

Sober.R modifies the HKCU and HKLM Registry Run keys in order to load when Windows is started:

'WinINet" =C:\WINDOWS\ConnectionStatus\services.exe'

Use up-to-date antivirus software to identify the worm's files. Either allow the antivirus software to delete these files, or they can be manually deleted. If opting for manual deletion, be sure to also remove the registry modifications made by the worm.

Sober.R terminates processes named Stinger, the name of a popular free utility from McAfee that helps ferret out some of today's more common or persistent viruses. To workaround this, make sure you rename Stinger.exe to prevent this or run Stinger in Safe Mode so the worm will not be active.