| Description | Visible Symptoms
- Compromised systems are slow to respond due to heavy SMTP outbound
traffic
- Creation of these files on the infected system [note, the Windows
folder may be in a different path depending on the version of Windows
and user preferences] -
c:\WINNT\ConnectionStatus\Microsoft\services.exe
[134,176 bytes]
c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]
Detailed AnalysisThis variant of Sober is very similar to existing variants in that it
is coded using Visual Basic, and contains instructions to spread to other
systems using SMTP email.
Loading at Windows startup
If the threat is run manually, it will copy itself to the local system
in several places -
c:\WINNT\ConnectionStatus\Microsoft\services.exe
[134,176 bytes]
c:\WINNT\ConnectionStatus\Microsoft\concon.www [various]
The file "concon.www"
is a simple text file generated by the virus during its scan and sweep
of the infected computer for valid email addresses. Email addresses found
are stored into this file, and then list is terminated by the word "Ende".
During execution of the virus named "services.exe",
0 byte files are created with these file names -
c:\WINNT\system32\bbvmwxxf.hml
c:\WINNT\system32\gdfjgthv.cvq
c:\WINNT\system32\langeinf.lin
c:\WINNT\system32\nonrunso.ber
c:\WINNT\system32\rubezahl.rub
c:\WINNT\system32\runstop.rst
If the virus process is terminated, the files remain. The virus will
register itself to load at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" WinCheck" = C:\WINNT\ConnectionStatus\Microsoft\services.exe
The virus author specifically chose the name "services.exe"
to add confusion to untrained computer users looking to manually terminate
the virus by file name. By default and on every Windows computer a system
file by the same name already exists and runs in memory.
SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found
in files of certain extensions. Email addresses are sampled from files
having these extensions -
def, pmr, phtm, stm, slk, inbox, imb, csv, bak, imh, xhtml, imm, imh,
cms, nws, vcf, ctl, dhtm, cgi, pp, ppt, msg, jsp, oft, vbs, uin, ldb,
abc, pst, cfg, mdw, mbx, mdx, mda, adp, nab, fdb, vap, dsp, ade, sln,
dsw, mde, frm, bas, adr, cls, ini, ldif, log, mdb, xml, wsh, tbb, abx,
abd, adb, pl, rtf, mmf, doc, ods, nch, xls, nsf, txt, wab, eml, hlp, mht,
nfo, php, asp, shtml & dbx.
The virus stores email addresses found into the file "concon.www".
This file is a simple text terminated by the word "Ende".
The virus will construct one of two possible messages, either in German
or English, depending on the target email address domain. If it is determined
the address is a potentially German-reading recipient, the email is composed
in German text, otherwise English. These are the two message formats -
| Subject: Ihre eMail! |
|
Body:
Guten Tag,
Ok, hier haben Sie sie wieder zurueck!
gruss jemand schickte mir eine Mail mit einer Excel oder Access
Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert,
aber zu meiner gekommen??? Ist wohl irgendein Fehler.
|
| Attachment: foto.zip |
|
Subject: Your email
|
Body:
Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient,
the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya.... |
| Attachment: excel_table.zip |
|