6/14: Sober-H Emails Messages in German
June 14, 2004

Troj/Sober-H emails messages in German to addresses found in files on the hard disk. The Trojan searches for email addresses in files whose names contain the following strings:

pmr stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

The Trojan stores email addresses in the Windows system folder in the files llsapwin32.dats and mswn32sock.dats. Troj/Sober-H does not send mail to any address that contains certain strings. View them and other information at Sophos page.