| Description | Visible Symptoms
- May be received in a .zip file as "mail_packed_password.exe"
- Compromised systems are slow to respond due to heavy SMTP outbound traffic
- Creation of these files on the infected system [note, the Windows folder
may be in a different path depending on the version of Windows and user preferences]
-
c:\WINNT\ConnectionStatus\Microsoft\services.exe
[129,600 bytes]
c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]
Detailed AnalysisThis dropper installs Sober.AC to the system, with the below mentioned changes
to the system. The dropper may be found within a .ZIP file attachment, possibly
as an executable file named "mail_packed_password.exe".
This variant of Sober is very similar to existing variants in that it is coded
using Visual Basic, and contains instructions to spread to other systems using
SMTP email.
Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several
places -
c:\WINNT\ConnectionStatus\Microsoft\services.exe
[129,600 bytes]
c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]
The file "concon.www"
is a simple text file generated by the virus during its scan and sweep of the
infected computer for valid email addresses. Email addresses found are stored
into this file, and then list is terminated by the word "Ende".
During execution of the virus named "services.exe", 0 byte
files are created with these file names -
c:\WINNT\system32\bbvmwxxf.hml
c:\WINNT\system32\gdfjgthv.cvq
c:\WINNT\system32\langeinf.lin
c:\WINNT\system32\nonrunso.ber
c:\WINNT\system32\rubezahl.rub
c:\WINNT\system32\runstop.rst
If the virus process is terminated, the files remain. The virus will register
itself to load at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" WinCheck" = C:\WINNT\ConnectionStatus\Microsoft\services.exe
The virus author specifically chose the name "services.exe"
to add confusion to untrained computer users looking to manually terminate the
virus by file name. By default and on every Windows computer a system file by
the same name already exists and runs in memory.
SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files
of certain extensions. Email addresses are sampled from files having these extensions
-
def, pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws,
vcf, ctl, dhtm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw,
mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls,
ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch,
xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtml & dbx.
The virus stores email addresses found into the file "concon.www".
This file is a simple text terminated by the word "Ende".
The virus will construct one of two possible messages, either in German or
English, depending on the target email address domain. If it is determined the
address is a potentially German-reading recipient, the email is composed in
German text, otherwise English. These are the two message formats -
| Subject: Betr: Passwort & Account Daten |
|
Body:
Ihre Account bzw. Passwort aenderung wurde nun vorgenommen.
Ihre neuen Zugangsdaten befinden sich Ge-Packt & Gesichert
im Anhang!
AutoMailSystem: #HF011BACC091F
|
| Attachment: auto-mail_Daten.zip |
|
Subject: Password Confirmation
|
Body:
Your password has been changed successfully!
Your new password is packed and safe in the attachment
Auto-MailSystem: #B20F3A7299A1000FC2 |
| Attachment: packed-password_text.zip |
|