Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sober.AA@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity NONE NONE
Payload
Detection files published
Description created 22 Nov 2005 05:59:00
Description updated 22 Nov 2005 05:59:00
Malware type WORM
Alias CME ID 681
WORM_SOBER.AG
W32.Sober.X@mm
Win32.Sober.W
Sober.Y
Spreading mechanism EMAIL
Summary None

W32/Sober.AA@mm

Spreading

When executed the worm will show a bogus error message ("Error in packed Header"), and then install itself on the system. It will then search available sources for email addresses to send itself to.
Sober detects recipient country and will select English or German language depending on this.
File system changes: Creates \WinSecurity\services.exe (the worm itself)
Creates \WinSecurity\smss.exe (same)
Creates \WinSecurity\csrss.exe (same)
Creates \WinSecurity\mssock1.dli (gathered email adresses)
Creates \WinSecurity\mssock2.dli (same)
Creates \WinSecurity\mssock3.dli (same)
Creates \WinSecurity\winmem1.ory (same)
Creates \WinSecurity\winmem2.ory (same)
Creates \WinSecurity\winmem3.ory (same)
Creates \WinSecurity\socket1.ifo (MIME-encoded copy)
Creates \WinSecurity\socket1.ifo (same)
Creates \WinSecurity\socket1.ifo (same)
Creates \WinSecurity\starter.run (empty file)

It will also create these empty files, which has the effect that older Sobervariants will not run:

Creates \System32\bbvmwxxf.hml
Creates \System32\langeinf.lin
Creates \System32\nonrunso.ber
Creates \System32\rubezahl.rub
Creates \System32\filesms.fms
Creates \System32\runstop.rst

Registry changes: Adds the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _Windows = \WinSecurity\services.exe
Adds the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows = \WinSecurity\services.exe

Payload Details

n/a

Analysis

n/a

Removal

This worm was proactively detected by Lumension Sandbox as Sober.gen.


Last Updated: 12 Nov 2015 11:06:11