F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Sober.F

[Summary] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Sober.F
ALIAS:I-Worm.VB.C, W32/Sober.F@mm
SIZE:42496

Summary

A new Sober.F worm was found in Germany on Sunday April 4th, 2004. This variant spreads itself with English and German messages.

Detailed Description

The worm is written in Visual Basic. The worm's file is a PE executable of length 42496 bytes, packed with a modified version of UPX file compressor. The worm has its own SMTP engine that it uses to send out infected e-mail messages.

Installation to system

When the worm's file is run, it opens Notepad with a text file as a disguise:

Then the worm installs itself to system. It copies itself to Windows System folder once, with a semi-randomly generated name and creates 2 startup keys for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file and the name of the startup key: 

 sys
 host
 dir
 expolrer
 win
 run
 log
 32
 disc
 crypt
 data
 diag
 spool
 service
 smss32

The worm also creates 3 empty files in the same folder: 

 zhcarxxi.vvx
 zmndpgwf.kxx
 bcegfds.lll

These files disable previous Sober variants if they are installed on an affected computer.

The worm creates a startup Registry key to its semi-randomly named file in System Registry: 

 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.

Spreading in e-mails.

The worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned: 

 ctl
 dhtm
 cgi
 pp
 ppt
 msg
 jsp
 oft
 vbs
 uin
 ldb
 abc
 pst
 cfg
 mdw
 mbx
 mdx
 mda
 adp
 nab
 fdb
 vap
 dsp
 ade
 sln
 dsw
 mde
 frm
 bas
 adr
 cls
 ini
 ldif
 log
 mdb
 xml
 wsh
 tbb
 abx
 abd
 adb
 pl
 rtf
 mmf
 doc
 ods
 nch
 xls
 nsf
 txt
 wab
 eml
 hlp
 mht
 nfo
 php
 asp
 shtml
 dbx

The worm can send messages chosen from variety of templates in English and German. Some of the messages will attempt tp appear to the eyes of the users as harmless error messages. Possible text appearing in those messages is: 

 Hi, it's me
 hey you
 damn!
 Well, surprise?!
 Faulty mail delivery
 Mail delivery failed
 Mail Error
 Illegal signs in Mail-Routing
 Connection failed
 Invalid mail sentence length
 Mail Delivery failure
 Message Error
 mail delivery status
 Confirmation Required
 Bad Gateway
 Warning!
 Your document
 I was surprised, too! :-(
 Who could suspect something like that?
 shock
 All OK  :)
 Police
 see, what i've found!
 Textdocument
 hi its me
 i've found a shity virus on my pc. check your pc, too!
 follow the steps in this article.
 anitv_text
 instructions
 your_article
 Registration confirmation
 I 've told you!:-) sometime I grab your passwords!
 your_passwords
 I hope you accept the result!
 Follow the instructions to read the message.
 Please read the document
 messagedoc
 webmaster
 admin
 information
 Confirmation
 Your Password
 Your mail account
 Your password was changed successfully.
 Protected message is attached.


 7.28.114.32_failed_after_I_sent_the_message./Remote_host_said:
 _554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered
 ._This_account_has_been_disabled_or_discontinued_[#102]._-_
 mta134.mail.  dcn.com


 ** End of Transmission
 The original message is a separate attachment.
 --- Mail To: UserHelp
 Error_Info
 _attach
 Read the attachment for details.
 Bad Gateway: The message has been attached.
 +++ A service of
 +++ Mail: home
 -attachment
 The message has been attached.
 attach-message
 Database #Error
 -- Partial message is available!
 -- Error: llegal signs in Mail-Routing
 -- Mail Server: ESMTP VX32.9 Version Betha Alpha

It also composes messages in such a way that they look as if scanned by some Anti-Virus and found clean. Messages will resemble: 

 ++++ Im www erreichbar unter: http://www.[url chosen by the worm]
 ++++ E-Mail: [email chosen by the worm]


 *** Anti- Virus: Es wurde kein Virus erkannt
 *** [name chosen by the worm] Virenschutz
 *** http://www.[url chosen by the worm]

The text can be preceded by some other german sentence, and some of the strings may also differ from message to message.

Additional information

Sober.F worm constantly checks a hard drive for the presence of the file named CVQAIKXT.APK. If this file is found, the worm unloads itself from memory. Also if this file is present on a hard disk during the worm's installation process, the worm does not copy itself to a hard drive.

Sober.F denies access to its data and executable files if it is active in Windows memory.

Back to the Top


Detection

Detection of Sober.F worm is available in the following FSAV updates:

[FSAV_Database_Version]

Version=2004-04-02_01

Back to the Top


Technical Details: Ero Carrera; April 4th, 2004;

Description Updated: Alexey Podrezov, April 5th, 2004;

F-Secure Corporation