A worm that spreads via email, usually in infected executable email file attachments.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Email-Worm:W32/Sober.D was found in Germany on early morning of March 8th, 2004. Similar to previous Sober variants, it sends emails in both German and English. Sober.D pretends to be a MS update to remove the MyDoom worm. The worm spreads itself as an EXE attachment or inside a ZIP archive. The worm is written in Visual Basic. The worm's file is packed with a modified version of UPX file compressor. It has its own SMTP engine that it uses to send out infected email messages.Installation
If the worm's file is started on an already infected computer, the following messagebox is shown:
Please note that the file name in the messagebox's caption may vary depending on the worm's executable attachment name.
The worm copies itself to Windows System folder once, with a semi-randomly generated name and creates a startup key for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file:
The worm creates a file named MSLOGS32.DLL, where it stores all email addresses harvested from an infected computer. The worm also creates 3 empty files in the same folder:
Additionally the worm creates 2 mime-encoded copies of its executable file and a ZIP archive in Windows System folder with the following names:
The worm creates several startup Registry keys its semi-randomly named file in System Registry:
The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.Propagation (email) The worm scans files with certain extensions on all hard disks to harvest email addresses. Files with the following extensions are scanned:
The worm saves all found email addresses to MSLOGS32.DLL file located in Windows System folder. This is an ASCII file, not a binary file.
The worm sends email messages with German and English texts. When sending a message to an email address, that has domain suffix DE, CH, AT, LI, NL or BE as well as the email address contains '@GMX' substring, the worm uses German text strings, otherwise it composes a message in English.
Here's how the English email sent by the worm looks like:
Subject: Microsoft Alert: Please Read! Body:New MyDoom Virus Variant Detected! A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly throughthe Internet. Anti-virus vendor Central Command claims that 1 in 45 emails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.Protection: Please download this digitally signed attachment. This Update includes the functionality of previously released patches. +++ c2004 Microsoft Corporation. All rights reserved. +++ One Microsoft Way, Redmond, Washington 98052 +++ Restricted Rights at 48 CFR 52.227-19
Here's how the German email sent by the worm looks like:
Subject: Microsoft Alarm: Bitte Lesen! Body:Neue Virus-Variante W32.Mydoom verbreitet sich schnell.Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet. Wie seine Vorganger verschickt sich der Wurm von infizierten Windows- Rechnern per email an weitere Adressen. Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner! Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schadling zu schutzen! +++ c2004 Microsoft Corporation. Alle Rechte vorbehalten. +++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1 +++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943
The sender's address is faked. The sender's name can be one of the following:
The domain of the sender's name always has '@microsoft' string followed by '.DE' or '.AT' suffixes for German messages and by '.COM' suffix for English messages.
The worm sends itself as an attachment with EXE extension or inside a ZIP archive. The attachment name varies and can contain one of the following:
Additionally the attachment name can contain random numbers.
The worm avoids sending messages to email addresses containing one of the following: