F-Secure Virus Descriptions : Sober.H
[Summary] | [Detailed Description] | [Detection]
|
|
|
Sober.H appeared on June 11th, 2004. This Sober variant doesn't
spread itself in e-mails. Instead, it mass-mails political
statements. It might have been downloaded to computers already
infected by earlier Sober variant, Sober.G for example.
Sober.H is written in Visual Basic. Its file is a PE executable
59747 bytes long, packed with UPX file compressor. Sober.H has
its own SMTP engine.
Installation to system
Sober.H's file is started installs itself to system. It copies
itself to Windows System folder with a semi-randomly generated
name and EXE extension. The following text strings are used to
generate the file name of the Sober's executable:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
After that Sober.H creates startup keys for its file in Windows
Registry. The key names are also semi-randomly generated from the
above given list. The following keys are created:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<random>" = "%WinSysDir%\<random>.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<random>" = "%WinSysDir%\<random>.exe"
During its installation cycle Sober.H creates the following files
in Windows System folder:
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
Odin-Anon.Ger
These files have zero length and they are used to disable
previous variants of Sober if they are installed on an infected
computer.
Sending e-mails
Sober.H sends different e-mail messages with political
statements. It doesn't attach itself to these messages.
Before spamming Sober.H scans files with certain extensions on
all hard disks to harvest e-mail addresses. Files with the
following extensions are scanned:
pmr
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
The found e-mail addresses and user names are saved in these 2
files that Sober.H creates in Windows System folder:
llsapwin32.dats
mswn32sock.dats
When Sober.H is active in memory it blocks access to these files
as well as to its executable file.
Sober.H ignores e-mail addresses that contain any of the
following substrings:
@www
@from.
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
mantec
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
msdn.
me@
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
icrosoft
ewido.
emsisoft
@foo.
winzip
@example.
bellcore.
@arin
mozilla
@iana
@avp
@msn
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock
Payload
Sober.H can download and activate an executable file from the
following website:
people.freenet.de
The name of the downloaded executable file is 'winhlpx32ll.exe'.
Deactivation of Sober.H
Sober.H periodically looks for a file named 'sysmms32.lla' and it
this file is found, it uninstalls itself from memory. Moreover,
if this file is present in Windows System folder, Sober.H does
not install itself to a system.
Detection of Sober.H is available in the following FSAV updates:
[FSAV_Database_Version]
Version=2004-06-11_03
Technical Details:
Alexey Podrezov; June 11th, 2004;
F-Secure Corporation
|
