Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.J@mm


Threat Risk LOW LOW
Destructivity LOW LOW
Detection files published 30 Jan 2005 03:00:00
Description created 31 Jan 2005 07:45:00
Description updated 31 Jan 2005 07:45:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When Sober.J@mm is run it copies itself to the %SystemRoot%, constructing its new file-name from these strings:  sys host dir expoler win run log 32 disc crypt data diag spool service smss32 The worm then creates the following registry entries to ensure it is started each time Windows loads:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
= “%SystemRoot%\" HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
= “%SystemRoot%\" A new is generated for each entry from the same wordlist that’s used to build the filename. The worm also creates the following files in the %SystemRoot% directory:  datamx.dam (Harvested email addresses) (MIME encoded archive, containing a copy of the worm) dgssxy.yoi (Used to disable previous Sober variants) nonrunso.ber (Used to disable previous Sober variants) Odin-Anon.Ger (Used to disable previous Sober variants) (Harmless text file) sysmms32.lla (Used to disable previous Sober variants) Mail propogation Sober.J harvests email addresses from files with these extensions:  pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx As previously mentioned the worm stores results in %SystemRoot%\datamx.dam, however, addresses containing the following strings are ignored:  ntp-ntp@ ntp. info@ test@ office @www @from. support smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure me@ whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel password noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin time postmas service freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux google @foo. winzip @example. bellcore. @arin mozilla @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock Next, Sober.J mails itself to all harvested address. Mails may appear in English or German, with the following characteristics: Subject  I've got YOUR email on my account!! Ey du DOOF Nase, warum beantw...Body  Hello,First, Sorry for my very bad English!Someone send your private mails on my email account!I think it's an Mail-Provider or SMTP error.Normally, I delete such emails immediately, but in the mail-text is a name& adress. I think it's your name and adress.In the last 8 days i've got 7 mails in my mail-box, but the recipient areyou, not me. lolOK, I've copied all email text in the Windows Text-Editor and i've zippedthe text file with WinZip.The sender of this mails is in the text file, too.bye  Warum beantwortest Du meine E-Mails nicht?Kommen meine Mails nicht mehr bei dir an oder so???Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!Ich hoffe mal, das sie jetzt zu dir durch dringen wird.In meinen anderen Mails habe ich einige Wichtige Dinge niedergeschrieben,hatte aber keine Lust alles nochmal zu schreiben.Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit Winzipkleiner gemacht.Lesen und diesmal auch bescheid geben!!!!tschau..... Attachment The attachment is named

Payload Details






Last Updated: 12 Nov 2015 11:06:15