F-Secure Virus Descriptions : Sober.D
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | Sober.D |
| ALIAS: | I-Worm.Sober.D, W32/Sober.D@mm, W32/Roca-a, Win32/Roca.A@mm, ROCA |
A new Sober.D worm variant was found in Germany on early morning
of March 8th, 2004. Similar to previous Sober variants it sends
emails in both German and English. Sober.D pretends to be a MS
update to remove MyDoom worm. The worm spreads itself as an
EXE attachment or inside a ZIP archive.
The worm is written in Visual Basic. The worm's file is packed
with a modified version of UPX file compressor. It has its own
SMTP engine that it uses to send out infected e-mail messages.
Installation to system
When the worm's file is started on a clean system, it shows the
following messagebox:
If the worm's file is started on an already infected computer,
the following messagebox is shown:
Please note that the file name in the messagebox's caption may
vary depending on the worm's executable attachment name.
The worm copies itself to Windows System folder once, with a
semi-randomly generated name and creates a startup key for this
file in System Registry. The worm uses the following fixed text
strings to generate the name of its file:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
The worm creates a file named MSLOGS32.DLL, where it stores all
e-mail addresses harvested from an infected computer. The worm
also creates 3 empty files in the same folder:
HUMGLY.LKUR
ZMNDPGWF.KXX
YFJH.YQWM
Additionally the worm creates 2 mime-encoded copies of its
executable file and a ZIP archive in Windows System folder with
the following names:
WINTMPX33.DAT
TEMP32X.DATA
The worm creates several startup Registry keys its semi-randomly
named file in System Registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
The subkey name that is created by the worm is semi-randomly
generated too. The value of a subkey is the path the worm's file
in Windows System folder.
Spreading in e-mails.
The worm scans files with certain extensions on all hard disks to
harvest e-mail addresses. Files with the following extensions are
scanned:
ini
log
mdb
tbb
abd
adb
pl
rtf
doc
xls
txt
wab
eml
php
asp
shtml
dbx
wab
tbb
abd
adb
pl
The worm saves all found e-mail addresses to MSLOGS32.DLL file
located in Windows System folder. This is an ASCII file, not a
binary file.
The worm sends e-mail messages with German and English texts.
When sending a message to an e-mail address, that has domain
suffix DE, CH, AT, LI, NL or BE as well as the e-mail address
contains '@GMX' substring, the worm uses German text strings,
otherwise it composes a message in English.
Here's how the English e-mail sent by the worm looks like:
Subject:
Microsoft Alert: Please Read!
Body:
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through
the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains
the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.
Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++ c2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19
Here's how the German e-mail sent by the worm looks like:
Subject:
Microsoft Alarm: Bitte Lesen!
Body:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorganger verschickt sich der Wurm von infizierten Windows-
Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner!
Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des
W32.Mydoom alias W32.Novarg.
Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schadling
zu schutzen!
+++ c2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943
The sender's address is faked. The sender's name can be one of the
following:
Info
Center
UpDate
News
Help
Studio
Alert
Patch
Security
The domain of the sender's name always has '@microsoft' string
followed by '.DE' or '.AT' suffixes for German messages and by
'.COM' suffix for English messages.
The worm sends itself as an attachment with EXE extension or
inside a ZIP archive. The attachment name varies and can contain
one of the following:
Patch
MS-Security
MS-UD
UpDate
sys-patch
Additionally the attachment name can contain random numbers.
The worm avoids sending messages to e-mail addresses containing
one of the following:
abuse
winrar
domain.
host.
viren
bitdefender
spybot
hotmail
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@arin
mozilla
@iana
@avp
@msn.
microsoft.
@sophos
@panda
symant
ntp-
ntp@
@ntp.
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai
@messagelab
clock
info@
t-online
Detection of Sober.D worm is available in the following FSAV
updates:
[FSAV_Database_Version]
Version=2004-03-08_01
Description:
Katrin Tocheva, March 8th, 2004;
Technical Details:
Alexey Podrezov; March 8th, 2004;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
