Virus Detail

Description

Back to top

Method of Infection

When executed the worm displays the following fake error message (title: “WinZip Self-Extractor”, text: “Error in packed Header”):

Sober.W creates the directory WinSecurity in the %Windows% folder.

Note: The %Windows% folder is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

The worm copies itself to the WinSecurity folder as:

services.exe
smss.exe
csrss.exe

The worm executes the first copy (services.exe), which in turn runs two other copies of the worm (smss.exe and csrss.exe)

As a result of the above process, the following files are created in the WinSecurity folder:

• mssock1.dli – list of users and domain names
• mssock2.dli – list of users and domain names
• mssock3.dli – list of users and domain names
• socket1.dli – base64 encoded copy of the worm
• socket2.dli – base64 encoded copy of the worm
• socket3.dli – base64 encoded copy of the worm
• starter.run
• winmem1.ory – list of targeted e-mail addresses
• winmem2.ory – list of targeted e-mail addresses
• winmem3.ory – list of targeted e-mail addresses

The worm modifies the registry in order to execute at the next reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows = "%Windows%\WinSecurity\services.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_Windows = "%Windows%\WinSecurity\services.exe"

Note: This variant may be dropped onto affected systems by previous variants of the Sober Family (.Q to .V).

Back to top

Method of Distribution

Via E-mail

Sober.W spreads via e-mail, attached to a message with a spoofed From address. The Subject and Message Body can be in English or German. If the recipient address ends with "de", "ch", "at" or "li", or it contains "gmx", the e-mail will be sent in German.

Sober.W finds addresses to send itself to by searching files on the affected system's drives. The worm seaches through files with the following extensions:

abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml

Sober.W may send e-mail with the following characteristics:

Subject:

hi, ive a new mail address

Body:

hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!

plz read and check ...
cyaaaaaaa

Attachment:

mailtext.zip
----------------------------------------

Subject

Mail delivery failed
or
smtp mail failed
or
SMTP Mail gescheitert

Body:

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.

The full mail-text and header is attached!

Attachment:

mail.zip
or
mail_body.zip
--------------------------------------------

Subject:

Paris Hilton & Nicole Richie

Body:

The Simple Life:

View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!

Please use our Download manager.

Attachment:

downloadm.zip
---------------------------------------------

Subject:

Account Information
or
Ihr passwort

Body:

Ihre Nutzungsdaten wurden erfolgreich geaendert. Details entnehmen Sie bitte dem Anhang.

*** http://www.<sender domain>
*** E-Mail: PassAdmin@<sender domain>

Attachment:

<sender domain>-TextInfo.zip
--------------------------------------------

Subject:

Mailzustellung wurde unterbrochen

Body:

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.

The full mail-text and header is attached!

Attachment:

Email.zip
---------------------------------------------

Subject:

Registration Confirmation
or
Your Password

Body:

Account and Password Information are attached!

or

Protected message is attached!

The following may be included at the end of this email:

***** Go to: http://<sender domain>
***** Email: postman@<sender domain>

Attachment:

reg_pass-data.zip
or
reg_pass.zip
-----------------------------------------------

Subject:

RTL: Wer wird Millionaer

Body:

Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
Sie sitzen demnaechst bei Guenther Jauch im Studio!
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

+++ RTL interactive GmbH
+++ Geschaeftsfuehrung: Dr. Constantin Lange
+++ Am Coloneum 1
+++ 50829 Koeln
+++ Fon: +49(0) 221-780 0 oder
+++ Fon: +49 (0) 180 5 44 66 99

Attachment:

<Sender user name>.zip
------------------------------------------------

Subject:

Sehr geehrter Ebay-Kunde

Body:

Bei uns wurde ein neues Benutzerkonto mit dem Namen "<list>" beantragt.
Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.
Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.

Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.

Vielen Dank,

Ihr Ebay-Team

Note: <list> is a name chosen from the following:

Schnaggi
Schnappi
Pippi
Onkel-Hotte
Trulla
MasterX
Bremse
Diebels
Bier
HandgranatenHarald

Attachment:

Ebay.zip
-------------------------------------------

Subject:

Sie besitzen Raubkopien
or
Ermittlungsverfahren wurde eingeleitet

Body:

Sehr geehrte Dame, sehr geehrter Herr,

das Herunterladen von Filmen, Software und MP3s ist illegal und somit strafbar.
Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unter der IP <random IP address> erfasst wurde. Der Inhalt Ihres Rechner wurde als Beweismittel sichergestellt und es wird ein Ermittlungsverfahren gegen Sie eingleitet.

Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen in den naechsten Tagen schriftlich zugestellt.
Aktenzeichen NR.:#<four random digits> (siehe Anhang)

Hochachtungsvoll
i.A. Juergen Stock

--- Bundeskriminalamt BKA
--- Referat LS 2
--- 65173 Wiesbaden
--- Tel.: +49 (0)611 - 55 - 12331 oder
--- Tel.: +49 (0)611 - 55 - 0

Attachment:

Akte<four random digits>.zip
-------------------------------------------------

Subject:

You visit illegal websites
or
Your IP was logged

Body:

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

One of the following is included at the end of this e-mail:

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

or

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

Attachment can be one of the following:

list.zip
list<random Number>.zip
question_list.zip
question_list<random number>.zip

In all cases, the file inside the ZIP archive is called "File-packed_dataInfo.exe".

Please see below for examples of e-mail generated by the worm:

Sober.W checks the date and time by contacting particular NTP servers. When the date is November 21st, and the time is 19.00 GMT, the worm begins sending out e-mail.

Back to top

Payload

Downloads and Executes Arbitrary Files

Sober.W stops sending out e-mail and begins attempting to download arbitrary files from a number of domains after 5 January 2006 (i.e. from January 6th onwards). It checks the date by contacting a number of NTP servers listed in its code. Sober attempts to download files from the following domains:

scifi.pages.at
home.arcor.de
people.freenet.de
home.pages.at
free.pages.at

Complete URLs (folders and files) are generated on-the-fly. Some of the file names the worm can request are as follows:

byb.xky
cen.vcn
etie.exe
ggqh.kqh
gth.exe
hiuxz.exe
iqor.ymv
loq.exe
lvv.jde
oja.exe
qzccs.exe
saei.vvt
sfd.exe
tjzu.exe
zzmw.gzt
cud.ajf
djuu.gyu
dxmkg.exe
ghhh.exe
jrhk.iio
lzxz.lwlx
mrty.uqm
nhhgg.exe
rhsup.exe
ryl.exe
tpywp.exe
uwmud.exe
wblc.ffdw
yzzjc.exe
zzgff.exe

At the time of publishing, none of the URLs the worm is designed to use were valid.

The worm also attempts to download the file Sober.exe from the "home.pages.at" domain and execute it from the location "%Windows%\WinSecurity\attacke.exe". This file was also unavailable at the time of publishing.

Terminates Processes

The worm terminates the following process:

mrt.exe

as well as any process that contains any of the following strings in its title:

microsoftanti
gcas
gcip
giantanti
inetupd.
nod32kui
nod32.
fxsob
avwin
stinger
hijack
sober
brfix
fixsob
s-t-i-n

After the process is terminated, the worm may display a message box titled "AntiVirus", with the message "No Viruses, Trojans or Spyware found! Status: OK":

Back to top

For additional information:

The worm drops the following empty files into the %System% directory:

nonrunso.ber
langeinf.lin
runstop.rst
rubezahl.rub
bbvmwxxf.hml

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Analysis by Amir Fouda

Back to top