by Panda Software
This week's report looks at five new variants of the Sober worm -AC, AD, AE, AF and AG- that appeared this week.
One notable feature of these variants of Sober is that the creator(s) has distributed them in a host of different compressed formats, in order to impede detection by traditional antivirus solutions (which need a specific vaccine to detect each format).
The AC, AD, AE, AF and AG variants of Sober are all similar to each other. The characteristics they share include:
- Spreading via email in messages with variable characteristics that contain a compressed file.
- The email texts are in German if the domain extension of the target address is: de (Germany), ch (Switzerland), at (Austria) o li (Lichtenstein). If the address does not have any of these extensions, the texts will be in English.
- The file attached to these messages is actually a copy of these worms.
For this reason, when the file is run, the corresponding variant of Sober is installed on the computer and takes a series of actions including:
* Creating the file SERVICES.EXE -a copy of the worm-, in the subfolder CONNECTIONSTATUS\MICROSOFT of the Windows directory.
* Generating several Windows registry entries, to ensure it is run when the system starts up.