Sober.T worm

Sober.T wormW32/Sober.Z.worm (Panda), W32/sober.T@MM (McAfee), W32.Sober.R@mm (Symantec), W32/sober.T@mm (F-Prot, Command), W32/Sober-P (Sophos), Win32.Sober.T@mm (BitDefender), I-Worm.Sober.V (VirusBuster)WormNovember 14, 2005Sober.T arrives in an email message that may be in either German or English language, depending on the recipient's domain. The English version appears as follows:

Subject: Thanks for your registration
Message body:Thanks for your registration!
We have received your payment.
Attachment: reg_text.zip (containing the file reg-list-dat_packer2.exe)The German language version arrives in email as follows:

Subject: Hi, Ich bin's
Message body: Hier ist die Liste die du haben wolltest.
Du solltest dich aber auch eintragen!
OK, bis dann
Attachment: Liste.zip (containing the file reg-list-dat_packer2.exe)

System Impact:
If the infected executable is run, Sober.T will create the following files:

C:\Windows\hjgerhds.exe
C:\Windows\ConnectionStatus\Microsoft\services.exe
C:\Windows\System32\gdfjgthv.cvq
C:\Windows\System32\langeinf.lin
C:\Windows\System32\nonrunso.ber
C:\Windows\System32\System32\rubezahl.rub
C:\Windows\System32\System32\runstop.rst

Note: The exact name of the Windows directory and System directory may vary depending on the operating system.

Sober.T modifies the HKCU and HKLM Registry Run keys in order to load when Windows is started:

'WinCheck =C:\Windows\ConnectionStatus\Microsoft\services.exe'

Removal Notes:
Use up-to-date antivirus software to identify the worm's files. Either allow the antivirus software to delete these files, or they can be manually deleted. If opting for manual deletion, be sure to also remove the registry modifications made by the worm.