This application requires Javascript for optimal performance.

W32/Sober.R@mm - Released Oct 06, 2005

Alias/es

Trojan-Dropper.Win32.VB.iv [KAV], W32/Sober.r.dr [McAfee], W32/Sober.R@mm, W32/VB.IV-dr

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

CVE

CME-151

Visible Symptoms

  • Compromised systems are slow to respond due to heavy SMTP outbound traffic

  • Creation of these files on the infected system [note, the Windows folder may be in a different path depending on the version of Windows and user preferences] -

    c:\WINNT\ConnectionStatus\netslot.nst [155,600 bytes]
    c:\WINNT\ConnectionStatus\services.exe [113,551 bytes]
    c:\WINNT\ConnectionStatus\socket.dli [various]

  • A fake error message is displayed if the virus is run -

    Fake error displayed by Sober.R

Detailed Analysis

This variant appears to have been spammed out by the virus author, in an attempt to promote spreading of the virus. The virus still travels within a .ZIP but the file itself is altered to contain varying byte codes beyond 8,922 bytes (0x22d9) that is actually a wrapper for the dropped virus.

The .ZIP contains a file named Screen_Photo.jpeg-graphic1.exe.

This variant of Sober is very similar to existing variants in that it is coded using Visual Basic, and contains instructions to spread to other systems using SMTP email. This virus can trick users (that trust file icon associations) into running it because it's file icon resembles a graphic image file.

This technique prays upon users and systems with the default configuration of "do not display file extensions for known file types".

Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several places -

c:\WINNT\ConnectionStatus\netslot.nst [155,600 bytes]
c:\WINNT\ConnectionStatus\services.exe [113,551 bytes]
c:\WINNT\ConnectionStatus\socket.dli [various]

Sober displays a fake error message like this one, if the virus is run -

Fake error displayed by Sober.R

The file "netslot.nst" is a Base64 encoded copy of the virus as a .ZIP file. The .ZIP file is attached to emails sent by the virus and contain a file named "PW_Klass.Pic.packed-bitmap.exe".

The file "socket.dli" is a simple text file generated by the virus during its scan and sweep of the infected computer for valid email addresses. Email addresses found are stored into this file, and then list is terminated by the word "Ende".

During execution of the virus named "services.exe", 0 byte files are created with these file names -

c:\WINNT\system32\bbvmwxxf.hml
c:\WINNT\system32\gdfjgthv.cvq
c:\WINNT\system32\langeinf.lin
c:\WINNT\system32\nonrunso.ber
c:\WINNT\system32\rubezahl.rub
c:\WINNT\system32\seppelmx.smx

If the virus process is terminated, the files remain. The virus will register itself to load at Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" WinINet" = C:\WINNT\ConnectionStatus\services.exe

The virus author specifically chose the name "services.exe" to add confusion to untrained computer users looking to manually terminate the virus by file name. By default and on every Windows computer a system file by the same name already exists and runs in memory.

SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files of certain extensions. Email addresses are sampled from files having these extensions -

  • pmr
  • phtm
  • stm
  • slk
  • inbox
  • imb
  • csv
  • bak
  • imh
  • xhtml
  • imm
  • imh
  • cms
  • nws
  • pl
  • vcf
  • ctl
  • dhtm
  • cgi
  • pp
  • ppt
  • msg
  • jsp
  • oft
  • vbs
  • uin
  • ldb
  • abc
  • pst
  • rtf
  • cfg
  • mdw
  • mbx
  • mdx
  • mda
  • adp
  • nab
  • fdb
  • vap
  • dsp
  • ade
  • sln
  • dsw
  • mde
  • mmf
  • doc
  • ods
  • nch
  • xls
  • nsf
  • txt
  • wab
  • eml
  • hlp
  • mht
  • nfo
  • php
  • asp
  • shtml
  • dbx
  • frm
  • bas
  • adr
  • cls
  • ini
  • ldif
  • log
  • mdb
  • xml
  • wsh
  • tbb
  • abx
  • abd
  • adb

As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -

  • aero
  • com
  • coop
  • edu
  • gov
  • museum
  • name
  • int
  • net
  • org
  • pro
  • info

The virus stores email addresses found into the file "socket.dli". This file is a simple text terminated by the word "Ende".

The virus carries hard-coded texts that are used to generate the subject line and message bodies for emails sent by the virus. There are two possible email formats based solely on the domain of the target recipient. If the virus can determine the target email address is within one of three countries (de,at,ch), an email message in Dutch is crafted similar to this -

Subject: Fwd: Klassentreffen
Body:
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
Attachment: KlassenFoto.zip

Otherwise, emails are generated in this format -

Subject:Your new Password
Body:
Your password was successfully changed!
Please see the attached file for detailed information.
Attachment: pword_change.zip

The .ZIP file contains a copy of the virus as an .EXE file named either "PW_Klass.Pic.packed-bitmap.exe" or "Screen_Photo.jpeg-graphic1.exe".

 

Recommended Action



    FortiGate systems:

  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


Reference: ID - 98081