Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.F@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload None
Detection files published
Description created 06 Apr 2004 04:36:00
Description updated 06 Apr 2004 04:36:00
Malware type WORM
Alias Sober.F
Spreading mechanism EMAIL
Summary None

W32/Sober.F@mm

Spreading

When Sober.F starts it checks to see if it is running from the %SYSTEM% directory, and if not it copies itself there using a filename name created from multiple words in the following list:syshostdirexpolrerwinrunlog32disccryptdatadiagspoolservicesmss32The worm will then create the following registry keys to ensure it is started with Windows (Where is a filename created from the list above, i.e. diag32service):HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ = “%SYSTEM%\"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = “%SYSTEM%\ %1"Sober then drops 7 files into the %SYSTEM% directory.zmndpgwf.kxx. This file is empty.bcegfds.lll. This file is empty.zhcarxxi.vvx. This file is empty.syst32win.dll. This file is used to store email addresses.spoofed_recips.ocx. This file is used to store email addresses.winsys32xx.zzp. This is a copy of the worm in a Zip archive that has been BASE64 encoded.winhex32xx.wrm. This is a copy of the worm that has been BASE64 encoded.Sober then searches for email addresses in files with the following extension:.wab.tbb.abd.adb.pl.ctl.dhtm.cgi.pp.ppt.msg.jsp.oft.vbs.uin.ldb.abc.pst.cfg.mdw.mbx.mdx.mda.adp.nab.fdb.vap.dsp.ade.sln.dsw.mde.frm.bas.adr.cls.ini.ldif.log.mdb.xml.wsh.tbb.abx.abd.adb.pl.rtf.mmf.doc.ods.nch.xls.nsf.txt.wab.eml.hlp.mht.nfo.php.asp.shtml.dbxThe worm will then save each email address found to %SYSTEM%\syst32win.dll, providing it doesn’t contain any of these strings:mailer-daemonofficeredaktionsupportvariabelpasswordtimepostmasservicefreeav@ca.abusewinrardomain.host.virenewido.emsisoftlinuxgoogle@foo.winzip@arinmozilla@iana@avp@msnmicrosoft.@sophos@pandasymantntp-ntp@@ntp.@kaspersfree-avantivirvirusverizon.@ikarus.@nai.@messagelabclockyahoo.comyahoo.degmx.degmx.netweb.defreenet.delycos.deSober then begins its replication routine which sends a mail to all the email addresses found in %SYSTEM%\syst32win.dll using its own SMTP engine. Possible subject lines, body texts and attachment names are as follows:Subject (English)DetailsOh my GodHeyHi!Hi, it's mehey youdamnWell, surprise?!InfoInformationFaulty mail deliveryMail delivery failedMail ErrorIllegal signs in Mail-RoutingConnectio failedInvalid mail sentence lengthMail Delivery failureMessage Errormail delivery statusConfirmation RequiredBad GatewayWarning!Your documentBody (English)I was surprised, too! :-( Who could suspect something like that? All OK :) see, what i've found! hi its me i've found a shity virus on my pc. check your pc, too! follow the steps in this article. bye I 've told you!:-) sometime I grab your passwords! I hope you accept the result! Follow the instructions to read the message. Please read the document Registration confirmationConfirmationYour PasswordYour mail accountYour password was changed successfully.Protected message is attached.++++ Service: http://www.++++ Mail To: User-info *** Auto Mail Delivery System ***67.28.114.32_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered._This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com** End of Transmission The original message is a separate attachment.--- Web: http://www.--- Mail To: UserHelp Read the attachment for details.Bad Gateway: The message has been attached.+++ A service of +++ http://www. Mail: home Database #Error -- Partial message is available! -- Error: llegal signs in Mail-Routing -- Mail Server: ESMTP VX32.9 Version Betha Alpha Anybody use your accounts! For further details see the attachment. I have received your document. The corrected document is attached.Mail- Attachment: No suspicious Virus signaturesMail Scanner: No Virus foundAnti-Virus: No Virus!Attachment (English)The attachment will arrive with a .pif or .zip extension. Possible filenames are:Money-Help textanitv_text instructions your_article your_passwords messagedoc corrected_text-file attach-message  pass-message partial Textdocumentcheck_thisNote. Sober may also send mails with a German subject line, body text and attachment name.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11