Email-Worm.Win32.Sober.c
Zainfekowane wiadomo艣ci mog膮 posiada膰 r贸偶ne tematy, tre艣ci oraz nazwy za艂膮cznik贸w. Plik robaka mo偶e posiada膰 nast臋puj膮ce rozszerzenia:
- bat
- cmd
- pif
- scr
- exe
- com
Przyk艂ad zainfekowanej wiadomo艣ci e-mail:
- Temat:
why me?
- Tre艣膰:
You say in the www. that i'm a terrorist!!! No way out for you. I REPORT YOU ! You've said THAT about me
- Nazwa za艂膮cznika:
terror-list.com
Robak aktywuje si臋 z zainfekowanej wiadomo艣ci tylko wtedy, gdy u偶ytkownik uruchomi za艂膮cznik.
Robak umieszcza trzy w艂asne kopie (z losowymi nazwami) w folderze systemowym Windows i tworzy klucze auto-run w rejestrze systemowym:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"(nazwa losowa)" = "%System%(nazwa_kopii_robaka.exe)"[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
"(nazwa losowa)" = "%System%(nazwa_kopii_robaka.exe)"
Po zako艅czeniu instalacji robak wy艣wietla na ekranie fa艂szywy komunikat o b艂臋dzie.
Robak szuka na dysku plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:
- htt
- rtf
- doc
- xls
- ini
- mdb
- txt
- htm
- html
- wab
- pst
- fdb
- cfg
- ldb
- eml
- abc
- ldif
- nab
- adp
- mdw
- mda
- mde
- ade
- sln
- dsw
- dsp
- vap
- php
- asp
- shtml
- shtm
i skanuje je pod k膮tem obecno艣ci adres贸w e-mail, pod kt贸re rozsy艂ane b臋d膮 zainfekowane wiadomo艣ci. Szkodnik wykorzystuje w艂asny silnik SMTP.
Oto przyk艂adowe tematy zainfekowanych wiadomo艣ci:
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Registration confirmation
registration confirmation
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Registration confirmation
registration confirmation
Tre艣膰 wiadomo艣ci wybierana jest spo艣r贸d nast臋puj膮cych mo偶liwo艣ci:
i'm very very sorry, anybody have sent your mail to my address.
sorry for my bad english, I am a Swede!
excuse for my bad english, but I'm a Dutchman
I've got your mail, but its came on my mail address??? i've read this mail ,,, sorry about that excuse for my bad english, but I'm a Dutchman I don't know how to start this! I'm dull,, can you test!? Here, the DigiCam photos. A few are overexposed. That you've killed this bastard. Your reward: That you have paid for me! And that's your
Caution: To all gamers A new worm spread via online gaming! You must change your internet configuration!! see: www.onlinegamerspro-worm.com set_config.
Attention: To all gamers More than 75.000 freeware games!!! Genre: -> 8500 online games = 3D Shooter, RPG, Action, Adventure, ... non online games: -> Action = 4200 games -> 3D Shooter's = 7500 games -> RPG's = 6800 games -> Adventure's = 5400 games -> ROM's for NES, SNES, PS1&2, GC ,GB, MD, SMS, .. = 29.000 ROM's - others = 16900 games all free!! Download and enjoy downloader.exe www.freegames4you-gzone.com I-Worm.Sober
You say in the www. that i'm a terrorist!!! No way out for you. I REPORT YOU ! You've said THAT about me
Thanks for your registration. ( We say Sorry again, the first mail was delivered to an unknown mail address. This was a bug in our mailing system! ) The amount of 239.- USD was deducted by your xxx Welcome, you can now visit more than 1200 very very hot web pages! Your registration, pages and passwords are xxx in the attachment.
I said, I love you..,, and you said NOTHING. And now,,, Go Away From Me Here are my love-letter((s)) mock me mock me again and again . Enjoy it. blablabla GO!
You get the charge in writing, in the next days. In the next days you will receive the charge in writing. In the next days, you'll get the charge in writing. In the next days, you'll get the charge in writing.
Ladies and Gentlemen, Downloading of Movies, MP3s and Software is illegal and punishable by law. We hereby inform you that your computer was scanned under the IP xxx. The contents of your computer were confiscated as an evidence, and you will be indicated. In the next days, you'll get the charge in writing. In the Reference code: #xxx, are all files, that we found on your computer. The sender address of this mail was masked, xxx- You get more detailed information by the Federal Bureau of Investigation -FBI-- Department for Illegal Internet Downloads, Room 7350 - 935 Pennsylvania Avenue - Washington, DC 20535, USA - (202) 324-3000
In the next days, you'll get the charge in writing.
Nazwa za艂膮cznika jest generowana losowo.