McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Email-Worm.Win32.Sober.j (AVP)

• W32.Sober.J@mm (Symantec)

• W32/Reblin

• W32/Sober-J (Sophos)

• WORM_SOBER.J (Trend)

Characteristics

-- Update February 25, 2005 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- 
-- Update January 31st 2005 --

Due to increased prevalence, the risk assessment of this threat has been increased to medium. The 4424 DAT files have been released early to address this threat.

Stinger has also been updated to detect and remove this threat.

--

This new variant, which is written in VB bears the following characteristics:

• contains its own SMTP engine
• source/target email addresses are harvested from the victim machine
• outgoing messages maybe in English or German
• Mail Propagation
• spoofs the "From" header of constructed messages

The worm is packed with UPX.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to the file DATAMX.DAM in the %SysDir% . For example:

• C:\WINNT\SYSTEM32\DATAMX.DAM

The worm will construct messages using German or English text, depending upon the recipient email address. For recipient addresses containing any of the following, German text is used:

• .de
• .at
• .ch

Below are the email formats that the worm uses:

(German version)
Subject: Ey du DOOF Nase, warum beantw...
Body:
Warum beantwortest Du meine E-Mails nicht?

Kommen meine Mails nicht mehr bei dir an oder so???

Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!

Ich hoffe mal, das sie jetzt zu dir durch dringen wird.

In meinen anderen Mails habe ich einige Wichtige Dinge niedergeschrieben, hatte aber keine Lust alles nochmal zu schreiben.

Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit Winzip klei ner gemacht.

Lesen und diesmal auch bescheid geben!!!!

tschau.....
Attachment: TEXTE.ZIP

(English version)
Subject: I've got YOUR email on my account!!
Body:
Hello,
First, Sorry for my very bad English!

Someone send your private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text is a name & ad ress. I think it's your name and adress.

In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol OK,

I've copied all email text in the Windows Text-Editor and i've zipped the t ext file with WinZip. The sender of this mails is in the text file, too.

bye

Attachment:

• EMAIL_TEXT.ZIP or
• TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

• MAIL_TEXT-INFO.TXT (many spaces) .PIF

The importance of the mail is set to "High" (this will only have an effect for certain mail clients).

For example:

Email addresses are harvested from files with the following extensions on the victim's machines:

abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; xml;

The worm avoids sending out mails to addresses containing the following strings:

• .dial.
• .kundenserver.
• .ppp.
• @arin
• @avp
• @ca.
• @example.
• @foo.
• @from.
• @gmetref
• @iana
• @ikarus.
• @kaspers
• @messagelab
• @nai.
• @panda
• @smtp.
• @sophos
• @www
• abuse
• announce
• antivir
• anyone
• anywhere
• bellcore.
• bitdefender
• clock
• -dav
• detection
• domain.
• emsisoft
• ewido.
• freeav
• free-av
• ftp.
• gold-certs
• google
• host.
• icrosoft.
• info@
• ipt.aol
• law2.
• linux
• mailer-daemon
• me@
• mozilla
• mustermann@
• nlpmail01.
• noreply
• nothing
• ntp-
• ntp.
• ntp@
• office
• password
• postmas
• qmail@
• reciver@
• secure
• service
• smtp-
• somebody
• someone
• spybot
• sql.
• subscribe
• sul.t-
• support
• t-dialin
• test@
• time
• t-ipconnect
• user@
• variabel
• verizon.
• viren
• virus
• whatever@
• whoever@
• winrar
• winzip
• you@
• yourname

Symptoms

Installation

Upon execution, a message is displayed using Notepad on the victim machine:

The worm carries a pool of strings which it uses to construct the filename and Registry keys it uses for installing itself on the victim machine:

• sys
• host
• dir
• expoler
• win
• run
• log
• 32
• disc
• crypt
• data
• diag
• spool
• service
• smss32

The constructed filename always has an EXE extension. The worm installs itself into the Windows system directory using this constructed filename, for example:

• C:\WINDOWS\SYSTEM32\SYSSPOOLDISC.EXE

The following files are also dropped into %SysDir%:

• DATAMX.DAM  (contains harvested email addresses)
• DGSFZIPP.GMX (59.504 bytes, copy of the worm in a ZIP and base64 encoded)

Additionally the following 0 byte files are dropped:

• dgssxy.yoi (0 bytes)
• nonrunso.ber (0 bytes)
• Odin-Anon.Ger (0 bytes)
• sysmms32.lla (0 bytes)

The worm adds two Registry keys to run the copy of itself at system startup. The name of the key is also constructed from the pool of strings the worm carries. For example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows
  \CurrentVersion\Run "adisccrypt" = %SYSDIR%\sysspooldisc.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run " dircryptlog" = %SYSDIR%\sysspooldisc.exe

(where %SYSDIR% is C:\Windows\System32 or C:\Winnt\System32)

Network Traffic

Symptoms indicating the worm's presence on a network include:

• outgoing messages matching the characteristics described here
• unexpected NTP traffic on port 37 TCP
• unexpected attempts to log into several GMX accounts (POP3)
• unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
  • microsoft.com
  • bigfoot.com
  • yahoo.com
  • t-online.de
  • google.com
  • hotmail.com

The worm also tries to download and execute files from the following HTTP URLs:

• people.freenet.de/[omitted]/vgan.ncy
• people.freenet.de/[omitted]/kdeu.exe
• people.freenet.de/[omitted]/mivrb.exe
• people.freenet.de/[omitted]/rop.umu
• free.pages.at/[omitted]/svoo.exe
• home.arcor.de/[omitted]/qyy.hrh
• home.pages.at/[omitted]/cojfx.hyfgo
• scifi.pages.at/[omitted]/qsfqs.alxe 

At the moment of this writing, there are no executeable files hosted on that URLs.

Method of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal

All Users :

The specified engine and DAT files  will contain detection and removal of a system that is not actively infected (where the virus is not loaded in memory).

Please Note: Given the nature of this threat, the 4.4.00 scan engine is required to detect and repair this threat on an actively infected system.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
Stinger has been updated to detect and remove this threat.

Manual removal
The worm processes can be terminated manually using the Task Manager.

In the first step, the two running processes of the worm needs to found, and terminated. As mentioned above however, the worm uses various filenames, constructed from the following strings:

• sys
• host
• dir
• expoler
• win
• run
• log
• 32
• disc
• crypt
• data
• diag
• spool
• service
• smss32

Three of these strings are used to construct filenames, for example:

• datadiscwin.exe
• cryptservice.exe
• runlog32.exe

The strings are also used to construct the key name which is used in the Registry key that is added to hook system startup, for example:

• HKLM\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
• HKCU\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
• HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
• HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"

Locate these keys and identify the 2 filenames that the worm uses on the victim machine.

Open the TaskManager, switch to the 'Processes' tab and look for the two processes with these filesnames and press the 'End Process' button.

After both processes are terminated, delete the Registry keys mentioned above.

McAfee Intrushield
An IntruShield User-Defined Signature (UDS) has been created to detectthis threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected andrequires your to log into Service Portal before accessing it.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Email-Worm.Win32.Sober.j (AVP)

• W32.Sober.J@mm (Symantec)

• W32/Reblin

• W32/Sober-J (Sophos)

• WORM_SOBER.J (Trend)

Characteristics

Characteristics -

-- Update February 25, 2005 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- 
-- Update January 31st 2005 --

Due to increased prevalence, the risk assessment of this threat has been increased to medium. The 4424 DAT files have been released early to address this threat.

Stinger has also been updated to detect and remove this threat.

--

This new variant, which is written in VB bears the following characteristics:

• contains its own SMTP engine
• source/target email addresses are harvested from the victim machine
• outgoing messages maybe in English or German
• Mail Propagation
• spoofs the "From" header of constructed messages

The worm is packed with UPX.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to the file DATAMX.DAM in the %SysDir% . For example:

• C:\WINNT\SYSTEM32\DATAMX.DAM

The worm will construct messages using German or English text, depending upon the recipient email address. For recipient addresses containing any of the following, German text is used:

• .de
• .at
• .ch

Below are the email formats that the worm uses:

(German version)
Subject: Ey du DOOF Nase, warum beantw...
Body:
Warum beantwortest Du meine E-Mails nicht?

Kommen meine Mails nicht mehr bei dir an oder so???

Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!

Ich hoffe mal, das sie jetzt zu dir durch dringen wird.

In meinen anderen Mails habe ich einige Wichtige Dinge niedergeschrieben, hatte aber keine Lust alles nochmal zu schreiben.

Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit Winzip klei ner gemacht.

Lesen und diesmal auch bescheid geben!!!!

tschau.....
Attachment: TEXTE.ZIP

(English version)
Subject: I've got YOUR email on my account!!
Body:
Hello,
First, Sorry for my very bad English!

Someone send your private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text is a name & ad ress. I think it's your name and adress.

In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol OK,

I've copied all email text in the Windows Text-Editor and i've zipped the t ext file with WinZip. The sender of this mails is in the text file, too.

bye

Attachment:

• EMAIL_TEXT.ZIP or
• TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

• MAIL_TEXT-INFO.TXT (many spaces) .PIF

The importance of the mail is set to "High" (this will only have an effect for certain mail clients).

For example:

Email addresses are harvested from files with the following extensions on the victim's machines:

abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; xml;

The worm avoids sending out mails to addresses containing the following strings:

• .dial.
• .kundenserver.
• .ppp.
• @arin
• @avp
• @ca.
• @example.
• @foo.
• @from.
• @gmetref
• @iana
• @ikarus.
• @kaspers
• @messagelab
• @nai.
• @panda
• @smtp.
• @sophos
• @www
• abuse
• announce
• antivir
• anyone
• anywhere
• bellcore.
• bitdefender
• clock
• -dav
• detection
• domain.
• emsisoft
• ewido.
• freeav
• free-av
• ftp.
• gold-certs
• google
• host.
• icrosoft.
• info@
• ipt.aol
• law2.
• linux
• mailer-daemon
• me@
• mozilla
• mustermann@
• nlpmail01.
• noreply
• nothing
• ntp-
• ntp.
• ntp@
• office
• password
• postmas
• qmail@
• reciver@
• secure
• service
• smtp-
• somebody
• someone
• spybot
• sql.
• subscribe
• sul.t-
• support
• t-dialin
• test@
• time
• t-ipconnect
• user@
• variabel
• verizon.
• viren
• virus
• whatever@
• whoever@
• winrar
• winzip
• you@
• yourname

Symptoms

Symptoms -

Installation

Upon execution, a message is displayed using Notepad on the victim machine:

The worm carries a pool of strings which it uses to construct the filename and Registry keys it uses for installing itself on the victim machine:

• sys
• host
• dir
• expoler
• win
• run
• log
• 32
• disc
• crypt
• data
• diag
• spool
• service
• smss32

The constructed filename always has an EXE extension. The worm installs itself into the Windows system directory using this constructed filename, for example:

• C:\WINDOWS\SYSTEM32\SYSSPOOLDISC.EXE

The following files are also dropped into %SysDir%:

• DATAMX.DAM  (contains harvested email addresses)
• DGSFZIPP.GMX (59.504 bytes, copy of the worm in a ZIP and base64 encoded)

Additionally the following 0 byte files are dropped:

• dgssxy.yoi (0 bytes)
• nonrunso.ber (0 bytes)
• Odin-Anon.Ger (0 bytes)
• sysmms32.lla (0 bytes)

The worm adds two Registry keys to run the copy of itself at system startup. The name of the key is also constructed from the pool of strings the worm carries. For example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows
  \CurrentVersion\Run "adisccrypt" = %SYSDIR%\sysspooldisc.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run " dircryptlog" = %SYSDIR%\sysspooldisc.exe

(where %SYSDIR% is C:\Windows\System32 or C:\Winnt\System32)

Network Traffic

Symptoms indicating the worm's presence on a network include:

• outgoing messages matching the characteristics described here
• unexpected NTP traffic on port 37 TCP
• unexpected attempts to log into several GMX accounts (POP3)
• unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
  • microsoft.com
  • bigfoot.com
  • yahoo.com
  • t-online.de
  • google.com
  • hotmail.com

The worm also tries to download and execute files from the following HTTP URLs:

• people.freenet.de/[omitted]/vgan.ncy
• people.freenet.de/[omitted]/kdeu.exe
• people.freenet.de/[omitted]/mivrb.exe
• people.freenet.de/[omitted]/rop.umu
• free.pages.at/[omitted]/svoo.exe
• home.arcor.de/[omitted]/qyy.hrh
• home.pages.at/[omitted]/cojfx.hyfgo
• scifi.pages.at/[omitted]/qsfqs.alxe 

At the moment of this writing, there are no executeable files hosted on that URLs.

Method of Infection

Method of Infection -

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal -

Removal -

All Users :

The specified engine and DAT files  will contain detection and removal of a system that is not actively infected (where the virus is not loaded in memory).

Please Note: Given the nature of this threat, the 4.4.00 scan engine is required to detect and repair this threat on an actively infected system.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
Stinger has been updated to detect and remove this threat.

Manual removal
The worm processes can be terminated manually using the Task Manager.

In the first step, the two running processes of the worm needs to found, and terminated. As mentioned above however, the worm uses various filenames, constructed from the following strings:

• sys
• host
• dir
• expoler
• win
• run
• log
• 32
• disc
• crypt
• data
• diag
• spool
• service
• smss32

Three of these strings are used to construct filenames, for example:

• datadiscwin.exe
• cryptservice.exe
• runlog32.exe

The strings are also used to construct the key name which is used in the Registry key that is added to hook system startup, for example:

• HKLM\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
• HKCU\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
• HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
• HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"

Locate these keys and identify the 2 filenames that the worm uses on the victim machine.

Open the TaskManager, switch to the 'Processes' tab and look for the two processes with these filesnames and press the 'End Process' button.

After both processes are terminated, delete the Registry keys mentioned above.

McAfee Intrushield
An IntruShield User-Defined Signature (UDS) has been created to detectthis threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected andrequires your to log into Service Portal before accessing it.

Variants

Variants -

N/A