Weekly Report on Viruses and Intruders – Sober Worm AC, AD, AE, AF and AG variants

The AC, AD, AE, AF and AG variants of Sober are all similar to each other. The characteristics they share include:

– Spreading via email in messages with variable characteristics that contain a compressed file.

– The email texts are in German if the domain extension of the target address is: de (Germany), ch (Switzerland), at (Austria) o li (Lichtenstein). If the address does not have any of these extensions, the texts will be in English.

– The file attached to these messages is actually a copy of these worms. For this reason, when the file is run, the corresponding variant of Sober is installed on the computer and takes a series of actions including:

* Creating the file SERVICES.EXE -a copy of the worm-, in the subfolder CONNECTIONSTATUS\MICROSOFT of the Windows directory.

* Generating several Windows registry entries, to ensure it is run when the system starts up.