W32/Sober.Q

Alias/esEmail-Worm.Win32.Sober.q [KAV], Troj/Sober-Q [Sophos], Trojan.Ascetic.C [NAV], W32.Sober.P@mm [NAV], W32/Sober.Q-mm, W32/Sober.q@MM [McAfee], WORM_SOBER.U [Trend]
Release DateMay 15, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • Possible firewall alert that any or all three of these files are attempting to access the Internet - csrss.exe and smss.exe

  • Creation of these files on the infected system [note, the Windows folder may be in a different path depending on the version of Windows and user preferences] -

    C:\WINNT\Help\Help\csrss.exe
    C:\WINNT\Help\Help\services.exe
    C:\WINNT\Help\Help\smss.exe

Detailed Analysis

This variant of Sober is packed with a file size of 53,792+ bytes. This variant does not spread further than on a compromised system, that is to say it does not mass-mail itself using SMTP or other means. It does however send out spam from the compromised host, to addresses found on the host. This variant is a minor modification of W32/Sober.P-mm, and contains the same file deletion payload.

Loading at Windows startup
If this virus is run on a system, it will create a folder in the "%Windows%\Help\" folder also named "Help". Next it will copy files to that folder -

[copy of virus - 53,792+ bytes]
C:\WINNT\Help\Help\csrss.exe
C:\WINNT\Help\Help\services.exe
C:\WINNT\Help\Help\smss.exe

The virus registers itself to load at Windows startup using this registry key -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"SystemBoot" = C:\WINNT\Help\Help\services.exe

Email harvesting
As this threat sends spam to other users, it first must gather email addresses from the host system. This virus will scan the hard drive by peering into files with these extensions, and extracting email addresses -

abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml

The virus avoids selecting emails that may have these strings in them -

.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
-dav
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google
host.
iana-
iana@
icrosoft.
ipt.aol
law2
linux
mailer-daemon
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
reciver@
secure
smtp-
somebody
someone
spybot
sql.
subscribe
t-dialin
test@
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname

Email Structure
The "From" will always be spoofed, so sending a reply back to the "sender" is useless.

The subject and body of the email varies, and is either in English or German, depending on the suffix of the target email address. For instance, email addresses that have these strings -

.at
.li
gmx.

may receive an email with German text. All other email addresses will receive English text. The email constructed will contain hyperlinks to policitically oriented web sites. The threat creates combinations of messages based on text and URLs stored in the threat body. The threat will mix and match randomly to create varied emails. These are some of the subject lines used by the spammer Sober threat -

  • S.O.S. Kiez! Polizei schlaegt Alarm
  • Du wirst zum Sklaven gemacht!!!
  • Blutige Selbstjustiz
  • Multi-Kulturell = Multi-Kriminell
  • Deutsche Buerger trauen sich nicht ...
  • Auf Streife durch den Berliner Wedding
  • Auslaender bevorzugt
  • Deutsche werden kuenftig beim Arzt abgezockt
  • Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
  • Gegen das Vergessen
  • Hier sind wir Lehrer die einzigen Auslaender

These are some of the URLs and body texts used by the virus -

Lese selbst:
Neue Dokumente:
Botschafter in Kiew beschwerte sich noch 2004:
Traumziel Deutschland:
Ohne Deutsch nach Deutschland:

http://bz.berlin1.de/archiv/041115_pdf/BZ041115_004_GB2IG556.1.htm
http://www.leverkusener-aufbruch.com
http://www.npd.de/npd_info/deutschland/2005/d0405-13.html
http://www.rp-online.de/public/article/nachrichten/politik/deutschland/87647 http://www.aufenthaltstitel.de/zuwg/0618.html
http://www.rp-online.de/public/article/nachrichten/politik/deutschland/85735
http://www.berlinonline.de/berliner-zeitung/archiv/.bin/dump.fcgi/2004/1221/politik/0009/index.html

This is an example of an email created by the spammer Sober threat -

Subject: Deutsche werden kuenftig beim Arzt abgezockt
Body:
Polizeiexperten warnen: Ethnisch abgeschottete Mafia-Clans sind kaum noch zu durchdringen. Die Gerichte tragen Mitschuld.

Weiter auf:
http://www.libasoli.de/2004/ethnoclans%20spiegel50_04.htm

File Deletion Payload
This virus carries a file deletion payload. It targets files with these criteria -

a*.exe
luc*.exe
ls*.exe
luu*.exe
mrt.exe
asw*.tmp

In testing the virus deleted files such as these -

AUPDATE.EXE
LSETUP.EXE
LuComServer.EXE

The above named files are related to Norton Antivirus "Live Update".

Description Last Updated Date: May 18, 2005
Reference: ID - 53175