It is very similar to
WORM_SOBER.AC in the sense that
- it drops its file in the same location
- same filename (services.exe)
- also terminates MRT.EXE(Microsoft’s Malware Removal Tool) and
then displays this messagebox
- Also has emails in German.
- packed with UPX.
If I remember correctly the previous WORM_SOBER.AC was also first
spammed as a UPX packed worm. Then emails started flooding our
honeypot system with emails containing a dropper for WORM_SOBER.AC.
First it was packed with FSG and then MEW.
Will this new WORM_SOBER variant follow the same path as
WORM_SOBER.AC? We are currently on the lookout and will of course
update this blog once the answer reveals itself.:)
This has already been passed to the service team.