McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• CME-151

• I-Worm.Sober.U (VirusBuster)

• W32.Sober.Q@mm (Symantec)

• W32/Sober-O (Sophos)

• W32/Sober.R@mm (Frisk)

• W32/Sober.r@MM!CME-151

• W32/Sober.r@MM!M-151

• W32/Sober.Y.worm (Panda)

• Win32.Sober.S@mm (Softwin)

Characteristics

-- Update October 11, 2005 --
Due to a decrease in prevalence, the risk assessment has been lowered to Low-Profiled.

-- Update October 5 ,2005 19:45 PDT --
The risk assessment of this threat has been raised to Medium do to prevalence.

This mass-mailing email virus arrives in an email message with one of the following attachment names:

• KlassenFoto.zip
• pword_change.zip
• screen_photo.zip
• privat-photo.zip

Inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe or Screen_Photo.jpeg-graphic1.exe.

Like many Sober variants, this variant uses several different email messages randomly, in either English or German depending on the version of Windows.

An example of a randomly generated English message is as follows:

An example of a randomly generated English message is as follows:

Symptoms

When the ZIP archive is extracted and the contained PIF file is manually executed, the virus may display a fake error message:

The worm copies itself to a newly created directory in the WINDOWS directory and creates registry run keys to load itself at system startup.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run " WinINet" =C:\WINDOWS\ConnectionStatus\services.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "_WinINet"=C:\WINDOWS\ConnectionStatus\services.exe

The following files are created:

• c:\WINDOWS\ConnectionStatus\netslot.nst
• c:\WINDOWS\ConnectionStatus\services.exe
• c:\WINDOWS\ConnectionStatus\socket.dli

It also drop these zero size files.

• c:\WINDOWS\system32\bbvmwxxf.hml
• c:\WINDOWS\system32\gdfjgthv.cvq
• c:\WINDOWS\system32\langeinf.lin
• c:\WINDOWS\system32\nonrunso.ber
• c:\WINDOWS\system32\rubezahl.rub
• c:\WINDOWS\system32\seppelmx.smx

Further symptoms:

Method of Infection

This worm spreads via email. It sends itself to email addresses that are harvested from files containing the following extensions:

• abc
• abd
• abx
• adb
• ade
• adp
• adr
• aero
• asp
• bak
• bas
• cfg
• cgi
• cls
• cms
• com
• coop
• csv
• ctl
• dbx
• dhtm
• doc
• dsp
• dsw
• edu
• eml
• fdb
• frm
• gov
• hlp
• imb
• imh
• imh
• imm
• inbox
• info
• ini
• int
• jsp
• ldb
• ldif
• log
• mbx
• mda
• mdb
• mde
• mdw
• mdx
• mht
• mmf
• msg
• museum
• nab
• name
• nch
• net
• nfo
• nsf
• nws
• ods
• oft
• org
• php
• phtm
• pl
• pmr
• pp
• ppt
• pro
• pst
• rtf
• shtml
• slk
• sln
• stm
• tbb
• txt
• uin
• vap
• vbs
• vcf
• wab
• wsh
• xhtml
• xls
• xml

The worm contains anti-stinger code to terminate processes with the name stinger .  A fake message is displayed when "stinger.exe" is run:

Removal

VirusScan Users
Use the latest engine and DAT files for detection. The 4599 DAT files contain enhanced repair to remove the Safe Mode instructions below.  Stinger can also be used. On-Demand Scans should always include scanning memory, which may be required to detect and remove this threat.

Sober is also capable of patching the TCPIP.SYS file to increase the number of maximum connections.  This can also result in corruption of the file and break Internet connectivity.  In this situation, it is necessary to replace this file with the original copy (such as via the Windows installation CD) to restore Internet access.

Stinger
Stinger has been updated to detect and remove this threat. Sober.r is "Stinger.exe" aware, therefore the executeable must be named something other than Stinger.exe. The download link has been changed to s_t_i_n_g_e_r.exe for this reason.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

6. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
7. The filename used by the worm is SERVICES.EXE
8. Delete this file from your Windows System directory (typically C:\WINDOWS\Connection Wizard\Status or C:\WINNT\Connection Wizard\Status).
9. Delete the following files from the same directory:
   1. netslot.nst
   2. services.exe
   3. socket.dli
10. Delete the following files from the %Sysdir% folder
    1. bbvmwxxf.hml
    2. gdfjgthv.cvq
    3. langeinf.lin
    4. nonrunso.ber
    5. rubezahl.rub
    6. seppelmx.smx
11. Edit the registry
    A similar string is constructed for using in the Registry modifications made to hook system startup.
    • Delete the following key:
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run\"_WinStart"
    • Delete the following value:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\RunOnce " WinStart"
12. Reboot the system into Default Mode

McAfee Entercept
McAfee Entercept blocks the addition of the Sober.r service to the "run" registry key. This prevents the restart of the virus after the next reboot. The relevant signature, "New Startup Program Creation", is active if protection policy "Level 3 Protection" is used.

McAfee IntruShield
An IntruShield User-Defined Signature (UDS) has been created to detect
this threat and is available for download at:

Threat:  sober.r@MM
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and
requires your to log into Service Portal before accessing it.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• CME-151

• I-Worm.Sober.U (VirusBuster)

• W32.Sober.Q@mm (Symantec)

• W32/Sober-O (Sophos)

• W32/Sober.R@mm (Frisk)

• W32/Sober.r@MM!CME-151

• W32/Sober.r@MM!M-151

• W32/Sober.Y.worm (Panda)

• Win32.Sober.S@mm (Softwin)

Characteristics

Characteristics -

-- Update October 11, 2005 --
Due to a decrease in prevalence, the risk assessment has been lowered to Low-Profiled.

-- Update October 5 ,2005 19:45 PDT --
The risk assessment of this threat has been raised to Medium do to prevalence.

This mass-mailing email virus arrives in an email message with one of the following attachment names:

• KlassenFoto.zip
• pword_change.zip
• screen_photo.zip
• privat-photo.zip

Inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe or Screen_Photo.jpeg-graphic1.exe.

Like many Sober variants, this variant uses several different email messages randomly, in either English or German depending on the version of Windows.

An example of a randomly generated English message is as follows:

An example of a randomly generated English message is as follows:

Symptoms

Symptoms -

When the ZIP archive is extracted and the contained PIF file is manually executed, the virus may display a fake error message:

The worm copies itself to a newly created directory in the WINDOWS directory and creates registry run keys to load itself at system startup.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run " WinINet" =C:\WINDOWS\ConnectionStatus\services.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "_WinINet"=C:\WINDOWS\ConnectionStatus\services.exe

The following files are created:

• c:\WINDOWS\ConnectionStatus\netslot.nst
• c:\WINDOWS\ConnectionStatus\services.exe
• c:\WINDOWS\ConnectionStatus\socket.dli

It also drop these zero size files.

• c:\WINDOWS\system32\bbvmwxxf.hml
• c:\WINDOWS\system32\gdfjgthv.cvq
• c:\WINDOWS\system32\langeinf.lin
• c:\WINDOWS\system32\nonrunso.ber
• c:\WINDOWS\system32\rubezahl.rub
• c:\WINDOWS\system32\seppelmx.smx

Further symptoms:

Method of Infection

Method of Infection -

This worm spreads via email. It sends itself to email addresses that are harvested from files containing the following extensions:

• abc
• abd
• abx
• adb
• ade
• adp
• adr
• aero
• asp
• bak
• bas
• cfg
• cgi
• cls
• cms
• com
• coop
• csv
• ctl
• dbx
• dhtm
• doc
• dsp
• dsw
• edu
• eml
• fdb
• frm
• gov
• hlp
• imb
• imh
• imh
• imm
• inbox
• info
• ini
• int
• jsp
• ldb
• ldif
• log
• mbx
• mda
• mdb
• mde
• mdw
• mdx
• mht
• mmf
• msg
• museum
• nab
• name
• nch
• net
• nfo
• nsf
• nws
• ods
• oft
• org
• php
• phtm
• pl
• pmr
• pp
• ppt
• pro
• pst
• rtf
• shtml
• slk
• sln
• stm
• tbb
• txt
• uin
• vap
• vbs
• vcf
• wab
• wsh
• xhtml
• xls
• xml

The worm contains anti-stinger code to terminate processes with the name stinger .  A fake message is displayed when "stinger.exe" is run:

Removal -

Removal -

VirusScan Users
Use the latest engine and DAT files for detection. The 4599 DAT files contain enhanced repair to remove the Safe Mode instructions below.  Stinger can also be used. On-Demand Scans should always include scanning memory, which may be required to detect and remove this threat.

Sober is also capable of patching the TCPIP.SYS file to increase the number of maximum connections.  This can also result in corruption of the file and break Internet connectivity.  In this situation, it is necessary to replace this file with the original copy (such as via the Windows installation CD) to restore Internet access.

Stinger
Stinger has been updated to detect and remove this threat. Sober.r is "Stinger.exe" aware, therefore the executeable must be named something other than Stinger.exe. The download link has been changed to s_t_i_n_g_e_r.exe for this reason.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

6. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
7. The filename used by the worm is SERVICES.EXE
8. Delete this file from your Windows System directory (typically C:\WINDOWS\Connection Wizard\Status or C:\WINNT\Connection Wizard\Status).
9. Delete the following files from the same directory:
   1. netslot.nst
   2. services.exe
   3. socket.dli
10. Delete the following files from the %Sysdir% folder
    1. bbvmwxxf.hml
    2. gdfjgthv.cvq
    3. langeinf.lin
    4. nonrunso.ber
    5. rubezahl.rub
    6. seppelmx.smx
11. Edit the registry
    A similar string is constructed for using in the Registry modifications made to hook system startup.
    • Delete the following key:
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run\"_WinStart"
    • Delete the following value:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\RunOnce " WinStart"
12. Reboot the system into Default Mode

McAfee Entercept
McAfee Entercept blocks the addition of the Sober.r service to the "run" registry key. This prevents the restart of the virus after the next reboot. The relevant signature, "New Startup Program Creation", is active if protection policy "Level 3 Protection" is used.

McAfee IntruShield
An IntruShield User-Defined Signature (UDS) has been created to detect
this threat and is available for download at:

Threat:  sober.r@MM
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and
requires your to log into Service Portal before accessing it.

Variants

Variants -

N/A