Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.F@mm


Threat Risk LOW LOW
Destructivity NONE NONE
Payload None
Detection files published
Description created 06 Apr 2004 04:36:00
Description updated 06 Apr 2004 04:36:00
Malware type WORM
Alias Sober.F
Spreading mechanism EMAIL
Summary None



When Sober.F starts it checks to see if it is running from the %SYSTEM% directory, and if not it copies itself there using a filename name created from multiple words in the following list:syshostdirexpolrerwinrunlog32disccryptdatadiagspoolservicesmss32The worm will then create the following registry keys to ensure it is started with Windows (Where is a filename created from the list above, i.e. diag32service):HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ = “%SYSTEM%\"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = “%SYSTEM%\ %1"Sober then drops 7 files into the %SYSTEM% directory.zmndpgwf.kxx. This file is empty.bcegfds.lll. This file is empty.zhcarxxi.vvx. This file is empty.syst32win.dll. This file is used to store email addresses.spoofed_recips.ocx. This file is used to store email addresses.winsys32xx.zzp. This is a copy of the worm in a Zip archive that has been BASE64 encoded.winhex32xx.wrm. This is a copy of the worm that has been BASE64 encoded.Sober then searches for email addresses in files with the following worm will then save each email address found to %SYSTEM%\syst32win.dll, providing it doesn’t contain any of these then begins its replication routine which sends a mail to all the email addresses found in %SYSTEM%\syst32win.dll using its own SMTP engine. Possible subject lines, body texts and attachment names are as follows:Subject (English)DetailsOh my GodHeyHi!Hi, it's mehey youdamnWell, surprise?!InfoInformationFaulty mail deliveryMail delivery failedMail ErrorIllegal signs in Mail-RoutingConnectio failedInvalid mail sentence lengthMail Delivery failureMessage Errormail delivery statusConfirmation RequiredBad GatewayWarning!Your documentBody (English)I was surprised, too! :-( Who could suspect something like that? All OK :) see, what i've found! hi its me i've found a shity virus on my pc. check your pc, too! follow the steps in this article. bye I 've told you!:-) sometime I grab your passwords! I hope you accept the result! Follow the instructions to read the message. Please read the document Registration confirmationConfirmationYour PasswordYour mail accountYour password was changed successfully.Protected message is attached.++++ Service: http://www.++++ Mail To: User-info *** Auto Mail Delivery System ***[#102]** End of Transmission The original message is a separate attachment.--- Web: http://www.--- Mail To: UserHelp Read the attachment for details.Bad Gateway: The message has been attached.+++ A service of +++ http://www. Mail: home Database #Error -- Partial message is available! -- Error: llegal signs in Mail-Routing -- Mail Server: ESMTP VX32.9 Version Betha Alpha Anybody use your accounts! For further details see the attachment. I have received your document. The corrected document is attached.Mail- Attachment: No suspicious Virus signaturesMail Scanner: No Virus foundAnti-Virus: No Virus!Attachment (English)The attachment will arrive with a .pif or .zip extension. Possible filenames are:Money-Help textanitv_text instructions your_article your_passwords messagedoc corrected_text-file attach-message  pass-message partial Textdocumentcheck_thisNote. Sober may also send mails with a German subject line, body text and attachment name.

Payload Details






Last Updated: 12 Nov 2015 11:06:11