Email-Worm:W32/Sober.C

Classification

Category :

Malware

Type :

-

Aliases :

Sober.C, I-Worm.Sober.C, W32/Sober.C

Summary

Sober.C is an email worm that sends itself as an attachment to email messages with different subject and body texts. Messages are composed from either German or English text strings depending on a recipient's domain suffix.

The worm can disguise itself as a message from a police, that allegedly found illegal movies, music and software on a user's computer. The worm's message tells that police filed a lawsuit against a user and a user is offered to read the rest of information in the attachment which has a .TXT.EXE extension. But the attachment contains only a sample of the worm. The worm can also send other kind of messages. Additionally, the worm has the functionality to spread in P2P (peer-to-peer) networks.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm is written in Visual Basic. The worm's file is packed with a modified version of UPX file compressor. It has its own SMTP engine and it is used to send out infected email messages.

Installation to system

When the worm's file is started, it shows a fake error message:

Runtime Error   has caused an unknown error.   

where <file_name> is the name of the worm's file. The messagebox can have a different caption and an additional text:

Microsoft   has caused an unknown error.  Stop: 00000010x08   

The worm copies itself to Windows System folder 3 times, once with SYSHOSTX.EXE name, and 2 more times with semi-randomly generated names, for example DIREXSYS.EXE or DXINBHEXDAT.EXE. The worm uses the following fixed text strings to generate the name of its files:

Runtime Error
 has caused an unknown error.
 

The worm also creates a file named SAVESYSS.DLL, where it stores email addresses harvested from an infected computer. The worm also creates 2 files named HUMGLY.LKUR and YFJQ.YQWM in the same folder.

The worm creates several startup Registry keys for one of its semi-randomly named files in System Registry:

Runtime Error
 has caused an unknown error.
 

The worm also creates a startup key for its file in HKEY_USERS Registry tree:

[HKEY_USERS\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]   

The subkey name that is created by the worm is semi-randomly generated. The value of a subkey is the path to one of the worm's files in Windows System folder.

The worm always has 2 of its tasks in System Memory. If one task is killed, it is immediately restarted by another one. Also the worm refreshes its startup keys in the Registry every few seconds. This makes manual disinfection of the worm more difficult. Is should be also noted that the worm blocks read access to its 2 semi-randomly named files and to SAVESYSS.DLL file as well.

Spreading in emails.

The worm scans files with certain extensions to harvest email addresses. Files with the following extensions are scanned:

Runtime Error
 has caused an unknown error.
 

The worm saves all found email addresses to SAVESYSS.DLL file located in Windows System folder. This is an ASCII file, not binary.

The worm sends email messages with German and English texts. When sending a message to an email address, that has domain suffix DE, CH, AT, LI, NL or BE, the worm uses German text strings, otherwise it composes a message in English.

When sending messages in English, the worm can use the following subjects:

Runtime Error
 has caused an unknown error.
 

The worm uses the following arrays of text strings for English message bodies:

Runtime Error
 has caused an unknown error.
 

In English messages the worm can send itself as an attachment with the following names:

yourmail.txt.  yourmail.doc.  photos.  test.  reward.  youtoo.  set_config.  downloader.exe  www.freegames4you-gzone.com  www.onlinegamerspro-worm.com  idiot.  painfulness.  terror-list.  www.boards4all-terror432.com  account.  credit card.  yourregistration.txt.  letters.  refcode.txt.  mangaconection.  www.animepage43252.com  www.anime4allfree.com   

The worm can compose attachment names from the following parts:

Runtime Error
 has caused an unknown error.
 

For example an attachment name can be REMOVE-SMSS_TOOL.EXE.

The worm can use the following extensions (referenced above as <ext>) for the only or second extension of its attachment:

Runtime Error
 has caused an unknown error.
 

When sending messages in German, the worm can use the following subjects:

Runtime Error
 has caused an unknown error.
 

The worm uses the following arrays of text strings for German message bodies:

Runtime Error
 has caused an unknown error.
 

In German messages the worm can send itself as an attachment with the following names:

Klassenfoto.  www.iq4you-german-test.com  Kundendat.BaB.  www.freewantiv.com  SysDial-patch.  aktenz.txt.  haha_sehr_witzig.  DrohMails.  RTL-DSDS-anmelde.  www.free4manga.com  Zugangsdaten.txt.  www.free4share4you.com  sharedfree.  www.tagespolitik-umfragen.com  Abstimmen.  test.  alledigis.  remove-   

The worm can use the following extensions (referenced above as <ext>) for the only or second extension of its attachment:

Runtime Error
 has caused an unknown error.
 

Here's an example of a German message sent by the worm:

Body:

Runtime Error
 has caused an unknown error.
 

Attachment:

AKTENZ.TXT.EXE   

The worm in some cases uses semi-randomly generated attachment names. For example the worm's attachment name for the above shown email can be AKTENZ36616.TXT.EXE.

The worm modifies its attachment to fool CRC-based detection: it can add random data to its file's end.

Spreading in file sharing networks

When active, the worm tries to locate shared folders of Kazaa, EMule and EDonkey2000. If such folders are located, the worm overwrites all executable files in those folders with its copy preserving the original file's size and name.