Alias/es

Detection Availability

Visible Symptoms

• Compromised systems are slow to respond due to heavy SMTP outbound traffic
  
  
• Creation of these files on the infected system [note, the Windows folder may be in a different path depending on the version of Windows and user preferences] -
  

  c:\WINNT\ConnectionStatus\Microsoft\services.exe [128,032 bytes]
  c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]

Detailed Analysis

This variant of Sober is very similar to existing variants in that it is coded using Visual Basic, and contains instructions to spread to other systems using SMTP email.

Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several places -

c:\WINNT\ConnectionStatus\Microsoft\services.exe [128,032 bytes]
c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]

The file "concon.www" is a simple text file generated by the virus during its scan and sweep of the infected computer for valid email addresses. Email addresses found are stored into this file, and then list is terminated by the word "Ende".

During execution of the virus named "services.exe", 0 byte files are created with these file names -

c:\WINNT\system32\bbvmwxxf.hml
c:\WINNT\system32\gdfjgthv.cvq
c:\WINNT\system32\langeinf.lin
c:\WINNT\system32\nonrunso.ber
c:\WINNT\system32\rubezahl.rub
c:\WINNT\system32\runstop.rst

If the virus process is terminated, the files remain. The virus will register itself to load at Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" WinCheck" = C:\WINNT\ConnectionStatus\Microsoft\services.exe

The virus author specifically chose the name "services.exe" to add confusion to untrained computer users looking to manually terminate the virus by file name. By default and on every Windows computer a system file by the same name already exists and runs in memory.

SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files of certain extensions. Email addresses are sampled from files having these extensions -

def, pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh, cms, nws, vcf, ctl, dhtm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb, abc, pst, cfg, mdw, mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln, dsw, mde, frm, bas, adr, cls, ini, ldif, log, mdb, xml, wsh, tbb, abx, abd, adb, pl, rtf, mmf, doc, ods, nch, xls, nsf, txt, wab, eml, hlp, mht, nfo, php, asp, shtml & dbx.

The virus stores email addresses found into the file "concon.www". This file is a simple text terminated by the word "Ende".

The virus will construct one of two possible messages, either in German or English, depending on the target email address domain. If it is determined the address is a potentially German-reading recipient, the email is composed in German text, otherwise English. These are the two message formats -

Subject: Ich habe Ihre E-Mail erhalten

Body: Danke fur Ihre Email .... Sie haben aber Ihre Mail wahrscheinlich falsch adressiert, naemlich an mich. Ich kenne sie aber nicht! Oder Ihr Provider hat die eMail falsch weiter geleitet? Um mich zu entlasten, schicke ich Ihnen das (!.!) Foto wieder zurueck.

Attachment: foto.zip

Subject: I've got your email on my account

Body: hi, First, my English is very bad! Sorry about this. Ok, I've got an email in my box, but this email is not for me, because, I'm not the recipient! The recipient are you! This must be an email-provider error, but I don't know! I have made a Screenshot about this mail and saved then in a zipped jpeg file for you. ok then, bye

Attachment: email_photo.zip

Recommended Action

FortiGate systems:


• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option