Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.R@mm

Overview

Threat Risk HIGH HIGH
Destructivity LOW LOW
Payload Terminates AV processes.
Detection files published 05 Oct 2005 03:00:00
Description created 06 Oct 2005 12:23:00
Description updated 06 Oct 2005 12:23:00
Malware type WORM
Alias CME-151
W32.Sober.Q@mm
W32/Sober.Y.worm
W32/Sober-O
WORM_SOBER.AC
Spreading mechanism EMAIL
Summary None

W32/Sober.R@mm

Spreading

When executed the worm will show a bogus error message ("CRC Header must be $7ff8"), and then install itself on the system. It will then search available sources for email addresses to send itself to.
Sober detects recipient country and will select English or German language depending on this. English text is shown here.
File system changes:
Creates \ConnectionStatus\services.exe        (the worm itself)
Creates \ConnectionStatus\netslot.nst            (MIME-encoded copy)
Creates \ConnectionStatus\socket.dli              (gathered email adresses) 
It will also create these empty files, which has the effect that older Sobervariants will not run:
Creates \System32\bbvmwxxf.hml    
Creates \System32\gdfjgthv.cvq
Creates \System32\bbvmwxxf.hml
Creates \System32\langeinf.lin
Creates \System32\nonrunso.ber
Creates \System32\rubezahl.rub
Creates \System32\seppelmx.smx

Registry changes:
Adds the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _WinINet    = \ConnectionStatus\services.exe
Adds the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run WinINet    = \ConnectionStatus\services.exe
Files types searched for emailaddresses:
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
nbsp
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

Payload Details

This worm terminates certain processes related to antivirus products, including Microsoft's Malware Removal Tool MRT, and shows a reassuring message that no viruses or spyware was found.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15