| Description | Visible Symptoms
- Compromised systems are slow to respond due to heavy SMTP outbound traffic
- Creation of these files on the infected system [note, the Windows folder
may be in a different path depending on the version of Windows and user preferences]
-
c:\WINNT\ConnectionStatus\Microsoft\services.exe
[128,032 bytes]
c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]
Detailed AnalysisThis variant of Sober is very similar to existing variants in that it is coded
using Visual Basic, and contains instructions to spread to other systems using
SMTP email.
Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several
places -
c:\WINNT\ConnectionStatus\Microsoft\services.exe
[128,032 bytes]
c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]
The file "concon.www"
is a simple text file generated by the virus during its scan and sweep of the
infected computer for valid email addresses. Email addresses found are stored
into this file, and then list is terminated by the word "Ende".
During execution of the virus named "services.exe", 0 byte
files are created with these file names -
c:\WINNT\system32\bbvmwxxf.hml
c:\WINNT\system32\gdfjgthv.cvq
c:\WINNT\system32\langeinf.lin
c:\WINNT\system32\nonrunso.ber
c:\WINNT\system32\rubezahl.rub
c:\WINNT\system32\runstop.rst
If the virus process is terminated, the files remain. The virus will register
itself to load at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" WinCheck" = C:\WINNT\ConnectionStatus\Microsoft\services.exe
The virus author specifically chose the name "services.exe"
to add confusion to untrained computer users looking to manually terminate the
virus by file name. By default and on every Windows computer a system file by
the same name already exists and runs in memory.
SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files
of certain extensions. Email addresses are sampled from files having these extensions
-
def, pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws,
vcf, ctl, dhtm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw,
mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls,
ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch,
xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtml & dbx.
The virus stores email addresses found into the file "concon.www".
This file is a simple text terminated by the word "Ende".
The virus will construct one of two possible messages, either in German or
English, depending on the target email address domain. If it is determined the
address is a potentially German-reading recipient, the email is composed in
German text, otherwise English. These are the two message formats -
| Subject: Ich habe Ihre E-Mail erhalten |
|
Body:
Danke fur Ihre Email ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert, naemlich
an mich. Ich kenne sie aber nicht!
Oder Ihr Provider hat die eMail falsch weiter geleitet?
Um mich zu entlasten, schicke ich Ihnen das (!.!) Foto wieder zurueck.
|
| Attachment: foto.zip |
|
Subject: I've got your email on my account
|
Body:
hi,
First, my English is very bad! Sorry about this.
Ok, I've got an email in my box, but this email is not for me, because,
I'm not the recipient! The recipient are you!
This must be an email-provider error, but I don't know!
I have made a Screenshot about this mail and saved then in a zipped jpeg
file for you.
ok then, bye |
| Attachment: email_photo.zip |
|