Description
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
Existence of the following files on the victim machine:
- %SysDir%\bcegfds.lll (0 bytes)
- %SysDir%\cvqaikxt.apk (0 bytes)
- %SysDir%\datsobex.wwr (0 bytes)
- %SysDir%\wincheck32.dats (size varies) - harvested email addresses
- %SysDir%\winexpoder.dats (size varies) - list of recipient names (including the @) of harvested email addresses. So for name@domain.com, this file contains name@.
- %SysDir%\winzweier.dats (size varies) - harvested email addresses
- %SysDir%\xdatxzap.zxp (0 bytes)
- %SysDir%\zhcarxxi.vvx (0 bytes)
The worm is intended to copy itself to the %SysDir% (eg. C:\WINNT\SYSTEM32) folder using a filename that is constructed from the following string pool:
- sys
- host
- dir
- explorer
- win
- run
- log
- 32
- disc
- crypt
- data
- diag
- spool
- service
- smss32
Methods of Infection
This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.
Aliases
I-Worm.Sober.g (AVP), W32/Sober.G.worm (Panda), WORM_SOBER.G (Trend)