Visible Symptoms
- After opening an email attachment, a message dialogue
gives this fake informational dialogue message -
Microsoft
Word for Windows
{i) This "WinWord" Version is not installed
on your System
- Virus has Word 2000 data file icon
- Newly created "System" folder in the
%windows%\config folder
- Newly created files on the infected system in the
above folder -
maddys.xyz
services.exe
zipped.wrm
- Possible firewall alert that a file "services.exe"
is attempting to access the Internet using DNS - this
may appear normal however the location of this "services.exe"
is not normal
- Newly created files on the infected system in the
System32 folder, with a file size of 0 bytes -
adcmmmmq.hjg
langeinf.lin
nonrunso.ber
xcvfpokd.tqa
Detailed Analysis
This variant drops a copy of the previous variant
onto the system. It is contained within a polymorphic
wrapper that when run, extracts copies of the same files
generated by the previous variant of Sober.
This virus targets email recipients by harvesting addresses
from an infected system and sends emails with a viral
attachment. The attachment could have a .PIF or .ZIP
extension.
The subject and body of the email varies, and is either
in English or German, depending on the suffix of the
target email address. For instance, email addresses
that have these strings -
.de
.ch
.at
.li
gmx.
may receive an email with German text. All other email
addresses will receive English text. The header of the
email message created is modified with these properties
-
From: [spoofed]
To: [any address found]
Importance: High
X-Mailer: LinuxSMTP_V3.3.83518
Below are examples of the two texts used to generate
the email subject and body for messages sent by the
virus -
SUBJECT:
FwD: Ich bin's nochmal
BODY:
Verdammt,
ich hatte vergessen
Dir meinen Text mitzuschicken.
Aber bitte nicht woanders darueber Reden, ich wuerde
mich dann zu Tode blamieren!
Ich melde mich.
Bis bald ;)
ATTACHED: Private-Texte.zip
SUBJECT:
I've_got your EMail on my_account!
BODY:
Hello,
First, Very Sorry for my bad English.
Someone is
sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the
recipient are you.
I have copied
all the mail text in the windows text-editor for you
& zipped then.
Make sure, that this mails don't come in my mail-box
again.
bye
ATTACHED: "your_text.zip"
Loading at Windows startup
If this virus is run on a system, it will create a folder
in the %Windows%\config folder named "System".
Next it will copy files to that folder -
maddys.xyz
[emails gathered]
services.exe [copy of virus]
zipped.wrm [Base64 copy of ZIP, contains virus, 100,854
bytes]
The virus registers itself to load at Windows startup
using this registry key -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"_SystemCheck" = C:\WINNT\Config\system\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" SystemCheck" = C:\WINNT\Config\system\services.exe
Email harvesting
This virus will scan the hard drive by peering into
files with these extensions, and extracting email addresses
-
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml
|