Win32.Sober.SAD Removal Tool A useful tool that removes the Sober virus infection from software.
Download

Win32.Sober.SAD Removal Tool Ranking & Summary

Win32.Sober.SAD Removal Tool Tags

microsoft word 2003 microsoft picture manager microsoft spider solitaire windows xp audio full version video yahoo messenger for win32 removal tool nod32 removal tool win32 removal zlob ad user import perlovg

Win32.Sober.SAD Removal Tool Description

The the virus creates the folder WinSecurity in the %WINDIR% folder and Drops the above files in it. It then executes the executable just dropped named %WINDIR%\WinSecurity\services.exe Then executes %WINDIR%\WinSecurity\smss.exe and finally %WINDIR%\WinSecurity\crss.exe Each of these Processes play a specific role : crss.exe examines if the registry key HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN\ Windows = C:\WINNT\WinSecurity\services.exe has been deleted and rewrites it if this is the case services.exe starts searching the victim’s Folders for files containing e-mail addresses on wich to propagate. Files with the following extension are scanned: stm slk inbox imb csv bak imh x html imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda ade sln dsw mde frm bas adr clsxls nsf txt wab eml hlp mht nfo,etc. It creates the registry key HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN\ Windows = C:\WINNT\WinSecurity\services.exe in order to assure it will be run at every OS startup. If this key is deleted from the registry while the virus is running in memory, it will try to put it back, having a dedicated thread to do this job. The virus tries to download a file from the Internet and run it: http://home.pages.at/.../S??.exe The worm implements it’s own SMTP engine for spreading via e-mail. The virus also spoofs the sender’s domain address, wich will appear to originate from one of the following domains microsoft.com, BigFoot.com, yahoo.com, t-online.de, Google.com, hotmail.com., mx1.mail.yahoo, mxbw.bluewin.ch etc. The virus then searches list of active processes for process names from the list below : Microsoftanti gcas gcip hijack,etc. and tries to kill them. For Win XP operating systems, the virus also tries to patch the tcpip.sys driver to allow it to open a virtually unlimited number of connections from the victim’s computer.

Win32.Sober.SAD Removal Tool Related Software