Alias/esEmail-Worm.Win32.Sober.k [KAV], W32/Sober-K [Sophos], W32/Sober.K@mm, W32/Sober.l@MM [McAfee], W32/Sober.M@mm [F-Prot], WORM_SOBER.K [Trend] | ||||||||||||
Detection Availability
| ||||||||||||
Visible Symptoms
| ||||||||||||
Detailed AnalysisThis 32-bit mass-mailer virus sends itself to email addresses harvested from the infected system. The emails created by the virus contained spoofed sender ID info, and tricky body text which could entice users into opening the attachment. Opening the attachment spawns the virus into running another cycle of sending itself to others.Email attachments are likely to have either a .PIF or .ZIP file extension. The virus creates new folders under the Windows folder named "msagent\win32". The virus will copy itself to this new location by three file names - csrss.exe winlogon.exe smss.exe Loading at Windows Startup The virus will register itself to run at each Windows startup - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ winsystem.sys = C:\Winnt\msagent\win32\smss.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ winsystem.sys = C:\Winnt\msagent\win32\smss.exe Country-code Targeting Technique This variant uses tricks from previous variants to target its multilingual emails to recipients which may speak the language used in the email. For instance, during the email harvesting routine, the virus will check the suffix of email addresses, and based on country codes which may exist in the address, the virus uses a table of language-specific subject lines and body text to create the message. Email addresses found on the infected system that have these four suffixes - .de, .ch, .at or .li - may receive an email with one of these subject lines - Ihr Passwort wurde geaendert Ihr neues Passwort EMail-Empfang fehlgeschlagen Paris Hilton Nackt! Paris Hilton SexVideos Seitensprung gesucht? Vorsicht! Neuer Sober Wurm! All other email addresses will receive a message with English text. These are some of the subject lines used for English constructed email messages - Your new Password Mail_delivery_failed Paris Hilton, pure! Alert! New Sober Worm! Email Address Harvesting Before a single email message is sent from the infected system, the virus must first gather addresses by scanning files which are likely to contain them. The virus will search files that have these extensions for target addresses - pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx Security Address Avoidance The virus will assume that email addresses having any of the strings listed below are somehow related to a security organization, or an organization which is close to a reporting mechanism which could pinpoint the virus quickly and/or alert security firms that would then publish updates to counter the virus spread - ntp- ntp@ ntp. info@ test@ @www @from. support smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol time freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin mozilla iana@ iana- @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock Miscellaneous The virus tracks evolutions of itself among replications by incrementing a byte field in the header of the virus file. At offset 0x00A0, the virus may insert a numeral 01 for first generation copies of itself, and for further replications may have this field incremented by 1. | ||||||||||||
Recommended Action
|
