W32/Sober@MM!M681

Content

W32/Sober@MM!M681

Type: Virus
SubType: E-mail
Discovery Date: 11/22/2005
Length: 55,390 bytes (PE)
Minimum DAT: 4629 (11/16/2005)
Updated DAT: 4640 (11/30/2005)
Minimum Engine: 5.1.00
Description Added: 11/22/2005
Description Modified: 01/09/2006 12:09 PM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update January 9, 2006 --
Due to a decrease in prevalence, the risk assessment of this threat has been lowered to Low-Profiled.

The list of activation dates/download sites has been updated below.

-- Update November 22, 2005 --
The risk assessment of this threat has been upgraded to Medium due to the amount of spam emails being sent which include copies of this virus. Mcafee customers have been protected since the 4629 dat files released on November 16th , which detected this as W32/Sober.gen@MM. If you, or your customers, are running at least these dat files, there will be no action required. Specific named detection as W32/Sober@MM!M681 (to reflect the assigned CME ID number) will be added to the 4635 DATs.

If you think that you may be infected with W32/Sober@MM!M681, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This Sober variant was being seeded on Nov 21st. It arrives as an email attachment, along with various message subjects and bodies, such as:

Subject: hi, ive a new mail address
Body:
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!

plz read and check ...
cyaaaaaaa

Subject: Registration Confirmation
or
Subject: Your Password
Body: Account and Password Information are attached!

Subject: Paris Hilton & Nicole Richie
Body:
The Simple Life:

View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!

Please use our Download manager.

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

Subject: Registration_Confirmation
Body:
Protected message is attached!

***** Go to: http://www.your_domain
***** Email: postman@your_domain

Body:
Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
Sie sitzen demnaechst bei Guenther Jauch im Studio! Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

+++ RTL interactive GmbH
+++ Geschaeftsfuehrung: Dr. Constantin Lange
+++ Am Coloneum 1
+++ 50829 Koeln
+++ Fon: +49(0) 221-780 0 oder

Body:
Bei uns wurde ein neues Benutzerkonto mit dem Namen beantragt.
Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.

Body:
Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.
Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.
Vielen Dank

Attachment:

reg_pass-data.zip
reg_pass.zip
question_list.zip
mailtext.zip
mail_body.zip
mail.zip
list.zip
email_text.zip

The zip file contains the files file-packed_datainfo.exe [55,390 bytes].

Symptoms

When the attachment is opened, and the contained executable is run, a fake error message is displayed:

Error In Packed Header

Sober creates a directory named WinSecurity in the %WinDir% directory (typically c:\windows). Several files are created in this folder:

csrss.exe	A copy of the worm
mssock1.dli	Email address information
mssock2.dli	Email address information
mssock3.dli	Email address information
services.exe	A copy of the worm
smss.exe	A copy of the worm
socket1.ifo	MIME encoded archive containing the worm
socket2.ifo	MIME encoded archive containing the worm
socket3.ifo	MIME encoded archive containing the worm
starter.run	Zero byte file
winmem1.ory	Harvested email addresses
winmem2.ory	Harvested email addresses
winmem3.ory	Harvested email addresses

Several files are created in the WINDOWS SYSTEM directory (typically c:\windows\system32) as well:

bbvmwxxf.hml	Zero byte file
filesms.fms	Zero byte file
langeinf.lin	Zero byte file
nonrunso.ber	Zero byte file
rubezahl.rub	Zero byte file
runstop.rst	Zero byte file

Two registry run keys are created to load the worm at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "_Windows" = C:\WINDOWS\WinSecurity\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run " Windows" = C:\WINDOWS\WinSecurity\services.exe

The worm attempts to contact the following time servers:

ntps1-1.uni-erlangen.de
time.mit.edu
tick.greyware.com
tock.keso.fi
ntp2c.mcc.ac.uk
ntp1.theremailer.net
time.chu.nrc.ca
time-a.timefreq.bldrdoc.gov
time.nrc.ca
ntp.massayonet.com.br
ntp2b.mcc.ac.uk
ntp2.ien.it
nist1.datum.com
swisstime.ethz.ch
clock.psu.edu
time.ien.it
ptbtime2.ptb.de
Rolex.PeachNet.edu
ntp.metas.ch
ntp3.fau.de
utcnist.colorado.edu
sundial.columbia.edu
vega.cbk.poznan.pl
ntp0.cornell.edu
ntp-sop.inria.fr
rolex.usg.edu
time.xmission.com
st.ntp.carnet.hr
ntp-1.ece.cmu.edu
time.nist.gov
ntp.lth.se
cuckoo.nevada.edu
ntp-2.ece.cmu.edu
time.kfki.hu
ntp.pads.ufrj.br
time-ext.missouri.edu
ntp1.arnes.si
timelord.uregina.ca
gandalf.theunixman.com

Starting on Friday, 6th January 2006, the worm stops spreading via EMail and tries to download and execute file from different URLs. The URLs are calculated based on the date and change every two weeks.

For the 6th of January 2006, it will try to connect to these URLs:

people.freenet.de/mclvompycem/[omitted]
scifi.pages.at/zzzvmkituktgr/[omitted]
people.freenet.de/fseqepagqfphv/[omitted]
people.freenet.de/wjpropqmlpohj/[omitted]
home.arcor.de/jmqnqgijmng/[omitted]
people.freenet.de/qisezhin/[omitted]
home.arcor.de/ocllceclbhs/[omitted]
home.arcor.de/srvziadzvzr/[omitted]
home.pages.at/npgwtjgxwthx/[omitted]
home.arcor.de/dixqshv/[omitted]
home.arcor.de/nhirmvtg/[omitted]
people.freenet.de/urfiqileuq/[omitted]
people.freenet.de/smtmeihf/[omitted]
free.pages.at/emcndvwoemn/[omitted]
people.freenet.de/zmnjgmomgbdz/[omitted]

For the 20th of January 2006, it will try to connect to these URLs:

people.freenet.de/idoolwnzwuvnmby [truncated]
people.freenet.de/mhfas [truncated]
people.freenet.de/nkpphimpf [truncated]
people.freenet.de/ozumt [truncated]
people.freenet.de/bnfyfnueoom [truncated]
people.freenet.de/kbyquqbw [truncated]
people.freenet.de/mlmmmlmhc [truncated]
scifi.pages.at/ikzfpao [truncated]
home.pages.at/ecljow [truncated]
free.pages.at/wgqybixqy [truncated]
home.arcor.de/ykfjxp [truncated]
home.arcor.de/oodh [truncated]
home.arcor.de/mtgv [truncated]
home.arcor.de/tucrghif [truncated]
home.arcor.de/ftpkwywvkdbu [truncated]

For the 4th of February 2006, it will try to connect to these URLs:

people.freenet.de/xvpmtddp [truncated]
people.freenet.de/ybuukppm [truncated]
people.freenet.de/tqdpdrhw [truncated]
people.freenet.de/sxjvch [truncated]
people.freenet.de/ivevmrc [truncated]
people.freenet.de/chcnrvn [truncated]
home.arcor.de/dixq [truncated]
scifi.pages.at/ootakk [truncated]
home.pages.at/uqjsxtsacg [truncated]
free.pages.at/hdovzt [truncated]
home.arcor.de/yrgbkt [truncated]
home.arcor.de/fleaveprfkbrv [truncated]
home.arcor.de/grmnyg [truncated]
home.arcor.de/jntwdtn [truncated]
home.arcor.de/xvzwen [truncated]

For the 18th of February 2006, it will try to connect to these URLs:

people.freenet.de/kvnxjghpb [truncated]
people.freenet.de/kudkpqgs [truncated]
people.freenet.de/ivdmxnd [truncated]
people.freenet.de/wjfudqoed [truncated]
people.freenet.de/drmegnt [truncated]
people.freenet.de/vlxam [truncated]
people.freenet.de/oeejkiil [truncated]
scifi.pages.at/nikxioxckm [truncated]
home.pages.at/dfdccnzn [truncated]
free.pages.at/asoqqliez [truncated]
home.arcor.de/lwmpcpoq [truncated]
home.arcor.de/fzsybpt [truncated]
home.arcor.de/vffe [truncated]
home.arcor.de/cumhhsm [truncated]
home.arcor.de/fhljs [truncated]

For the 2nd of March 2006, it will try to connect to these URLs:

people.freenet.de/sxbbph [truncated]
people.freenet.de/obkqlyle [truncated]
people.freenet.de/ysqyydcqyxcq [truncated]
people.freenet.de/vcbcci [truncated]
people.freenet.de/ztoktkc [truncated]
people.freenet.de/hkakkkufs [truncated]
people.freenet.de/behkvl [truncated]
scifi.pages.at/vaicwygd [truncated]
home.pages.at/yjkoccqyjkx [truncated]
free.pages.at/njjmmmgq [truncated]
home.arcor.de/uswu [truncated]
home.arcor.de/ehqhkk [truncated]
home.arcor.de/jjlcxaqc [truncated]
home.arcor.de/pbvbwekyb [truncated]
home.arcor.de/oozaztutl [truncated]

For the 16th of March 2006, it will try to connect to these URLs:

people.freenet.de/wewhissrvlf [truncated]
people.freenet.de/cymo [truncated]
people.freenet.de/ykfqgkcpdz [truncated]
people.freenet.de/zvbgrir [truncated]
people.freenet.de/iekzyggeekn [truncated]
people.freenet.de/anbjhsob [truncated]
people.freenet.de/mnjemtyav [truncated]
scifi.pages.at/rsdou [truncated]
home.pages.at/qcvcfufc [truncated]
free.pages.at/tddffjn [truncated]
home.arcor.de/pvuvxkee [truncated]
home.arcor.de/hbxc [truncated]
home.arcor.de/bnzkrbcrr [truncated]
home.arcor.de/nlomw [truncated]
home.arcor.de/inwlcrqrmdb [truncated]

For the 30th of March 2006, it will try to connect to these URLs:

people.freenet.de/rslipmpm [truncated]
people.freenet.de/wxlokexul [truncated]
people.freenet.de/qoeccvmmv [truncated]
people.freenet.de/reowen [truncated]
people.freenet.de/tkhzdq [truncated]
people.freenet.de/mnfduqzj [truncated]
people.freenet.de/uuvnvf [truncated]
scifi.pages.at/ewrencdwz [truncated]
home.pages.at/mmzohagszca [truncated]
free.pages.at/qlojqlc [truncated]
home.arcor.de/ejwdzewdl [truncated]
home.arcor.de/tktdxgghyx [truncated]
home.arcor.de/dztwisrba [truncated]
home.arcor.de/bivrvxrldbi [truncated]
home.arcor.de/brbdhabr [truncated]

For the 14th of April 2006, it will try to connect to these URLs:

people.freenet.de/ycizcyyybb [truncated]
people.freenet.de/hdasdzfhk [truncated]
people.freenet.de/itfljpk [truncated]
people.freenet.de/gvnhwevn [truncated]
people.freenet.de/xfwck [truncated]
people.freenet.de/dwuynch [truncated]
people.freenet.de/mgbkgqdm [truncated]
scifi.pages.at/zyrsr [truncated]
home.pages.at/oxlbcuv [truncated]
free.pages.at/klwypl [truncated]
home.arcor.de/iytccbmi [truncated]
home.arcor.de/egfhtzsziti [truncated]
home.arcor.de/eeezorceelfi [truncated]
home.arcor.de/bypkirk [truncated]
home.arcor.de/ottoqoc [truncated]

For the 28th of April 2006, it will try to connect to these URLs:

people.freenet.de/bynlfgyq [truncated]
people.freenet.de/qzfupmaj [truncated]
people.freenet.de/uwegufxvwf [truncated]
people.freenet.de/tgwza [truncated]
people.freenet.de/lsjvvoenjvp [truncated]
people.freenet.de/bbvb [truncated]
people.freenet.de/sszwf [truncated]
scifi.pages.at/hsxzxtiww [truncated]
home.pages.at/ucobw [truncated]
free.pages.at/qnhxfpnq [truncated]
home.arcor.de/dnvem [truncated]
home.arcor.de/agmzqaju [truncated]
home.arcor.de/gnxsvga [truncated]
home.arcor.de/fmnfbinnm [truncated]
home.arcor.de/oufl [truncated]

For the 12th of May 2006, it will try to connect to these URLs:

people.freenet.de/zoosla [truncated]
people.freenet.de/mnfduq [truncated]
people.freenet.de/venel [truncated]
people.freenet.de/prlrkzh [truncated]
people.freenet.de/jkygfnif [truncated]
people.freenet.de/uifposxx [truncated]
people.freenet.de/hjushfqn [truncated]
scifi.pages.at/tiefgndvw [truncated]
home.pages.at/jnjtcj [truncated]
free.pages.at/duhdkkbkvcu [truncated]
home.arcor.de/mmeamt [truncated]
home.arcor.de/tjhzfyke [truncated]
home.arcor.de/ivrvxrld [truncated]
home.arcor.de/ionsgivgvqonvu [truncated]
home.arcor.de/agllj [truncated]

For the 26th of May 2006, it will try to connect to these URLs:

people.freenet.de/nhhx [truncated]
people.freenet.de/fpkqmhafws [truncated]
people.freenet.de/pommrkp [truncated]
people.freenet.de/ughyukk [truncated]
people.freenet.de/uhplcyto [truncated]
people.freenet.de/raeezeleqo [truncated]
people.freenet.de/hsaaaitf [truncated]
scifi.pages.at/vfefsgz [truncated]
home.pages.at/psjqzzzto [truncated]
free.pages.at/tjxggqemk [truncated]
home.arcor.de/mqfsjosnp [truncated]
home.arcor.de/zfakn [truncated]
home.arcor.de/fwzzq [truncated]
home.arcor.de/rtfx [truncated]
home.arcor.de/vfecfimevs [truncated]

For the 10th of June 2006, it will try to connect to these URLs:

people.freenet.de/ysyahqb [truncated]
people.freenet.de/nwdmimqxao [truncated]
people.freenet.de/piijnicl [truncated]
people.freenet.de/gsgyupdnp [truncated]
people.freenet.de/kypvbpunffm [truncated]
people.freenet.de/wggugtet [truncated]
people.freenet.de/ixltxg [truncated]
scifi.pages.at/fvojoz [truncated]
home.pages.at/npajsm [truncated]
free.pages.at/zakgnag [truncated]
home.arcor.de/eymdnfrv [truncated]
home.arcor.de/nykvmwb [truncated]
home.arcor.de/pvjupjw [truncated]
home.arcor.de/fuqllxpnp [truncated]
home.arcor.de/nlwwbw [truncated]

For the 24th of June 2006, it will try to connect to these URLs:

people.freenet.de/sgihlksoe [truncated]
people.freenet.de/eenvvux [truncated]
people.freenet.de/igvbvb [truncated]
people.freenet.de/qkpo [truncated]
people.freenet.de/jgkpzi [truncated]
people.freenet.de/ryobblxrxf [truncated]
people.freenet.de/iuqv [truncated]
scifi.pages.at/uuvnvf [truncated]
home.pages.at/kmqqqprru [truncated]
free.pages.at/gyoiwnhod [truncated]
home.arcor.de/kwwhusfepsq [truncated]
home.arcor.de/qhwhz [truncated]
home.arcor.de/rhhosoh [truncated]
home.arcor.de/qcxprkq [truncated]
home.arcor.de/tpswinpw [truncated]

For the 8th of July 2006, it will try to connect to these URLs:

people.freenet.de/txyjyjqq [truncated]
people.freenet.de/fhcwscxyco [truncated]
people.freenet.de/hzjofefe [truncated]
people.freenet.de/vchfqv [truncated]
people.freenet.de/uxyyfcbfb [truncated]
people.freenet.de/bvvpczb [truncated]
people.freenet.de/jqoguututl [truncated]
scifi.pages.at/clddwc [truncated]
home.pages.at/itit [truncated]
free.pages.at/hhfijsswwee [truncated]
home.arcor.de/hshqtj [truncated]
home.arcor.de/gesgamd [truncated]
home.arcor.de/txpp [truncated]
home.arcor.de/ctjil [truncated]
home.arcor.de/fxhydxuxi [truncated]

Method of Infection

This virus spreads via email. It harvests email addresses from files found on the local system containing the following extensions:

pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

The virus attempts to terminate processes containing the following strings:

microsoftanti
gcas
gcip
giantanti
inetupd.
nod32kui
nod32.
fxsbr
avwin.
guardgui.
aswclnr
stinger
hijack
sober
brfix
s_t_i_n
s-t-i-n

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

Sober.Y (F-Secure)

W32.Sober.X@mm (Symantec)

W32/Sober-Z (Sophos)

W32/Sober.z@MM (F-prot)

W32/Sober@MM!CME-681

WORM_SOBER.AG (Trend)

Characteristics

Characteristics -