| Description | Visible Symptoms
- Compromised systems are slow to respond due to heavy SMTP outbound
traffic
- Creation of these files on the infected system [note, the Windows
folder may be in a different path depending on the version of Windows
and user preferences] -
c:\WINNT\WinSecurity\csrss.exe [55,390
bytes]
c:\WINNT\WinSecurity\services.exe [55,390 bytes]
c:\WINNT\WinSecurity\smss.exe [various]
Detailed AnalysisThis variant of Sober is very similar to existing variants in that it is coded
using Visual Basic, and contains instructions to spread to other systems using
SMTP email. Emails arrive with body content suggested to be from the CIA,
FBI, BKA and even celebs Paris Hilton & Nicole Ritchie.
Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several
places -
c:\WINNT\WinSecurity\csrss.exe [55,390
bytes]
c:\WINNT\WinSecurity\services.exe [55,390 bytes]
c:\WINNT\WinSecurity\smss.exe [various]
The file "smss.exe"
is a simple text file generated by the virus during its scan and sweep of the
infected computer for valid email addresses. Email addresses found are stored
into this file, and then list is terminated by the word "Ende".
During execution of the virus named "services.exe", 0 byte
files are created with these file names -
c:\WINNT\system32\bbvmwxxf.hml
c:\WINNT\system32\langeinf.lin
c:\WINNT\system32\nonrunso.ber
c:\WINNT\system32\rubezahl.rub
If the virus process is terminated, the files remain. The virus will register
itself to load at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" Windows" = C:\WINNT\WinSecurity\services.exe
The virus author specifically chose the name "services.exe"
to add confusion to untrained computer users looking to manually terminate the
virus by file name. By default and on every Windows computer a system file by
the same name already exists and runs in memory.
SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files
of certain extensions. Email addresses are sampled from files having these extensions
-
def, pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws,
vcf, ctl, dhtm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw,
mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls,
ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch,
xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtml & dbx.
The virus will construct email messages, either in German or English, depending
on the target email address domain. If it is determined the address is a potentially
German-reading recipient, the email is composed in German text, otherwise English.
These are a couple of the expected email formats -
| Subject: Ermittlungsverfahren_wurde_eingeleitet |
|
Body:
Sehr geehrte Dame, sehr geehrter Herr,
das Herunterladen von Filmen, Software und MP3s ist illegal und somit
strafbar.
Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unter der
IP 146.99.233.219 erfasst wurde. Der Inhalt Ihres Rechner wurde als
Beweismittel sichergestellt und es wird ein Ermittlungsverfahren gegen
Sie eingleitet.
Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen
in den naechsten Tagen schriftlich zugestellt.
Aktenzeichen NR.:#5628 (siehe Anhang)
Hochachtungsvoll
i.A. Juergen Stock
--- Bundeskriminalamt BKA
--- Referat LS 2
--- 65173 Wiesbaden
--- Tel.: +49 (0)611 - 55 - 12331 oder
--- Tel.: +49 (0)611 - 55 - 0
|
| Attachment: file with .ZIP extension |
|
Subject: SMTP Mail gescheitert
|
Body:
This is an automatically generated Delivery Status Notification.
SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached!
|
| Attachment: Email_Text.zip |
| From: Admin@fbi.gov |
|
Subject: Your IP was logged
|
Body:
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000
|
| Attachment: list127.zip |
| From: Mail@cia.gov |
|
Subject: Your IP was logged
|
Body:
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time
|
| Attachment: list.zip |
| From: Admin@{spoofed} |
|
Subject: Paris Hilton & Nicole Richie
|
Body:
View Paris Hilton & Nicole Richie video clips , pictures & more
;) Download is free until Jan, 2006!
Please use our Download manager.
|
| Attachment: downloadm.zip |
| From: {spoofed} |
|
Subject: hi, ive a new mail address
|
Body:
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not
sure!
plz read and check ...
cyaaaaaaa
|
| Attachment: mailtext.zip |
|