Threat Description

Email-Worm:​W32/Sober.F

Details

Aliases:Email-Worm:​W32/Sober.F
Category:Malware
Type:Email-Worm
Platform:W32

Summary



A worm that spreads via e-mail, usually in infected executable e-mail file attachments.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Email-Worm:W32/Sober.F is written in Visual Basic. The worm's file is a PE executable of length 42496 bytes, packed with a modified version of UPX file compressor. The worm has its own SMTP engine that it uses to send out infected e-mail messages.

Installation

When the worm's file is run, it opens Notepad with a text file as a disguise:

Then the worm installs itself to system. It copies itself to Windows System folder once, with a semi-randomly generated name and creates 2 startup keys for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file and the name of the startup key:

  • sys
  • host
  • dir
  • expolrer
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

The worm also creates 3 empty files in the same folder:

  • zhcarxxi.vvx
  • zmndpgwf.kxx
  • bcegfds.lll

These files disable previous Sober variants if they are installed on an affected computer.

The worm creates a startup Registry key to its semi-randomly named file in System Registry:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.

Activity

Sober.F worm constantly checks a hard drive for the presence of the file named CVQAIKXT.APK. If this file is found, the worm unloads itself from memory. Also if this file is present on a hard disk during the worm's installation process, the worm does not copy itself to a hard drive.

Sober.F denies access to its data and executable files if it is active in Windows memory.

E-mail (Propagation)

The worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

  • ctl
  • dhtm
  • cgi
  • pp
  • ppt
  • msg
  • jsp
  • oft
  • vbs
  • uin
  • ldb
  • abc
  • pst
  • cfg
  • mdw
  • mbx
  • mdx
  • mda
  • adp
  • nab
  • fdb
  • vap
  • dsp
  • ade
  • sln
  • dsw
  • mde
  • frm
  • bas
  • adr
  • cls
  • ini
  • ldif
  • log
  • mdb
  • xml
  • wsh
  • tbb
  • abx
  • abd
  • adb
  • pl
  • rtf
  • mmf
  • doc
  • ods
  • nch
  • xls
  • nsf
  • txt
  • wab
  • eml
  • hlp
  • mht
  • nfo
  • php
  • asp
  • shtml
  • dbx

The worm can send messages chosen from variety of templates in English and German. Some of the messages will attempt tp appear to the eyes of the users as harmless error messages. Possible text appearing in those messages is:

  • Hi, it's me
  • hey you
  • damn!
  • Well, surprise?!
  • Faulty mail delivery
  • Mail delivery failed
  • Mail Error
  • Illegal signs in Mail-Routing
  • Connection failed
  • Invalid mail sentence length
  • Mail Delivery failure
  • Message Error
  • mail delivery status
  • Confirmation Required
  • Bad Gateway
  • Warning!
  • Your document
  • I was surprised, too! :-(
  • Who could suspect something like that?
  • shock
  • All OK :)
  • Police
  • see, what i've found!
  • Textdocument
  • hi its me
  • i've found a shity virus on my pc. check your pc, too!
  • follow the steps in this article.
  • anitv_text
  • instructions
  • your_article
  • Registration confirmation
  • I 've told you!:-) sometime I grab your passwords!
  • your_passwords
  • I hope you accept the result!
  • Follow the instructions to read the message.
  • Please read the document
  • messagedoc
  • webmaster
  • admin
  • information
  • Confirmation
  • Your Password
  • Your mail account
  • Your password was changed successfully.
  • Protected message is attached.
7.28.114.32_failed_after_I_sent_the_message./Remote_host_said:
_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered
._This_account_has_been_disabled_or_discontinued_[#102]._-_
mta134.mail. dcn.com
 
** End of Transmission
The original message is a separate attachment.
--- Mail To: UserHelp
Error_Info
_attach
Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of
+++ Mail: home
-attachment
The message has been attached.
attach-message
Database #Error
-- Partial message is available!
-- Error: llegal signs in Mail-Routing
-- Mail Server: ESMTP VX32.9 Version Betha Alpha

It also composes messages in such a way that they look as if scanned by some Anti-Virus and found clean. Messages will resemble:

++++ Im www erreichbar unter: http://www.[url chosen by the worm]
++++ E-Mail: [email chosen by the worm]
 
*** Anti- Virus: Es wurde kein Virus erkannt
*** [name chosen by the worm] Virenschutz
*** http://www.[url chosen by the worm]
 

The text can be preceded by some other german sentence, and some of the strings may also differ from message to message.



Detection


Detection of Sober.F is available in the following FSAV updates:
Detection Type: PC
Database: 2004-04-02_01




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More