Email-Worm.Win32.Sober.u, .v, .w
15 Nov 2005 12:30:00 +0300
Kaspersky Lab has detected three new variants of Sober: Email-Worm.Win32.Sober.u, Email-Worm.Win32.Sober.v, and Email-Worm.Win32.Sober.w
The worm spreads as an attachment to infected messages. The attached file, which contains the body of the worm, is approximately 130KB in size.
Possible attachment names include:
Word-Text_packedList.exe
Word-Text_packedList.zip
Word-Text.zip
Reg-List-Dat_Packer2.exe
Exceltab-packed_List.exe
reg_text.zip
Liste.zip
Kaspersky Anti-Virus databases have been updated with detection for the three latest variants. Users are strongly recommended to update their antivirus databases.
Email-Worm.Win32.Sober.u
Several modified variants of this worm, which is written in Visual Basic, have been detected. There are only very minor differences. It is 139.040 KB in size. The actual worm is 129.568 bytes in packed size.
Installation
When the dropper is executed it drops the main file in to the Windows directory; the filename consists of eight (random) letters, varying for each Sober.u modification.
Sober creates the following directory:
%windir%\ConnectionStatus\Microsoft
A copy of the worm named services.exe is dropped into this directory.
The file residing in %windir% will then launch services.exe and close.
The following files are also created in %windir%\ConnectionStatus\Microsoft\:
concon.www - this file will contain the email addresses harvested from the system.
sacdata.dta - this file is empty
The following 0 bytes are created in %systemdir%:
bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
The worm creates the following registry keys to ensure that it gets executed during Windows startup:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" WinCheck"="%windir%\ConnectionStatus\Microsoft\services.exe"[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"_WinCheck"="%windir%\ConnectionStatus\Microsoft\services.exe"
The worm connects to a number of time servers to check the time and date.
Depending on the date the worm will perform one of two actions:
- Spread like an Email-Worm by sending out copies of itself
- Check specified sites for files to download
Propagation via email
The worm looks for email addresses to harvest, it does this from files with the following extensions:
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
Sober.u spreads in two different languages, English and German.
It uses English for all domains except for those which have the following suffix:
.de
.ch
.at
.li
or the following string:
gmx.
Infected messages
English message:
Message subject:
Registration Confirmation
German message: Ich habe Ihnen diese Word-Text Datei zu meiner Entlastung zurueckgeschickt. Starts with: This worm also drops another malicious file. The worm drops not-a-virus:PSWTool.Win32.PassView.162 into the system directory. Like previous variants, Sober.u uses an exclusive lock to make removal difficult. Make sure your Kaspersky Anti-Virus bases are up to date.Thanks for your registration.
Your data are saved in the zipped Word.doc file!Attachment name
registration.zip
Message subject:
Haben Sie diese EMail verschickt?
Message body:
Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen Sie zu erstatten!
Sie spinnen ja wohl! Die E-Mail hat meine Tochter gelesen!!!!!!
Es waere von Vorteil, wenn Sie sich dazu aeussern wuerden!!Attachment name:
Word -Text
Other
This tool is used to spy on passwords.Removal
Perform a full system scan and delete all files detected as Email-Worm.Win32.Sober.u and not-a-virus:PSWTool.Win32.PassView.162.