F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Sober.J

[Summary] | [Detailed Description] | [Detection]



NAME:Sober.J
ALIAS:W32/Sober.J@mm, Email-Worm.Win32.Sober.j, W32/Reblin.A@mm
ALIAS:Email-Worm.Win32.VB.af

Summary

Sober.J worm was seeded in e-mails on 31st of January 2005. It is quite similar to the previous variants.

Detailed Description

The worm is written in Visual Basic. The worm's file is a UPX packed PE executable about 43 kilobytes long. The unpacked worm's file size is over 140 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.

Installation to system

When the worm's file is started it opens Write text editor with the following text as a decoy:

Then the worm installs itself to system. It copies itself to Windows System folder with a semi-randomly generated name and EXE extension. The following text strings are used to generate the file name of the worm's executable: 

 sys
 host
 dir
 expoler
 win
 run
 log
 32
 disc
 crypt
 data
 diag
 spool
 service
 smss32

After that the worm creates startup keys for its file in Windows Registry. The key names are also semi-randomly generated from the above given list. The following keys are created: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "<random>" = "%WinSysDir%\<random>.exe"
 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "<random>" = "%WinSysDir%\<random>.exe"

During its installation cycle the worm creates the following files in Windows System folder: 

 dgssxy.yoi
 sysmms32.lla
 cvqaikxt.apk
 Odin-Anon.Ger
 nonrunso.ber

These files have zero length and they are used to disable previous variants of Sober if they are installed on an infected computer.

Additionally the worm creates the following files: 

 dgsfzipp.gmx
 datamx.dam

The 'dgsfzipp.gmx' file is a MIME-encoded ZIP archive with the worm's file. This file will be used for spreading of the worm in e-mail messages. The 'datamx.dam' file contains e-mail addresses collected by the worm on an infected computer.

Additionally the worm creates the 'read.me' file that contains the following text: 

 Ist nur eine kleine Test-Version


 In diesem Sinne:
 Odin alias Anon

Spreading in e-mails

The worm sends e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable. The worm composes two different e-mail messages. Here's an example of an English message sent by the worm:

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned: 

 pmr
 phtm
 stm
 slk
 inbox
 imb
 csv
 bak
 imh
 xhtml
 imm
 imh
 cms
 nws
 vcf
 ctl
 dhtm
 cgi
 pp
 ppt
 msg
 jsp
 oft
 vbs
 uin
 ldb
 abc
 pst
 cfg
 mdw
 mbx
 mdx
 mda
 adp
 nab
 fdb
 vap
 dsp
 ade
 sln
 dsw
 mde
 frm
 bas
 adr
 cls
 ini
 ldif
 log
 mdb
 xml
 wsh
 tbb
 abx
 abd
 adb
 pl
 rtf
 mmf
 doc
 ods
 nch
 xls
 nsf
 txt
 wab
 eml
 hlp
 mht
 nfo
 php
 asp
 shtml
 dbx

The found e-mail addresses and user names are saved in the file that the worm creates in Windows System folder: 

 datamx.dam

When the worm is active in memory it blocks access to these files as well as to its MIME-encoded files and its executable file.

The worm ignores e-mail addresses that contain any of the following substrings: 

 ntp-
 ntp@
 ntp.
 info@
 test@
 office
 @www
 @from.
 support
 smtp-
 @smtp.
 gold-certs
 ftp.
 .dial.
 .ppp.
 anyone
 subscribe
 announce
 @gmetref
 sql.
 someone
 nothing
 you@
 user@
 reciver@
 somebody
 secure
 me@
 whatever@
 whoever@
 anywhere
 yourname
 mustermann@
 .kundenserver.
 mailer-daemon
 variabel
 password
 noreply
 -dav
 law2
 .sul.t-
 .qmail@
 t-ipconnect
 t-dialin
 ipt.aol
 time
 postmas
 service
 freeav
 @ca.
 abuse
 winrar
 domain.
 host.
 viren
 bitdefender
 spybot
 detection
 ewido.
 emsisoft
 linux
 google
 @foo.
 winzip
 @example.
 bellcore.
 @arin
 mozilla
 @iana
 @avp
 icrosoft.
 @sophos
 @panda
 @kaspers
 free-av
 antivir
 virus
 verizon.
 @ikarus.
 @nai.
 @messagelab
 nlpmail01.
 clock

If the worm sends infected messages to domains with suffixes '.de', '.ch', '.at', it composes a message in German, otherwise English message is composed.

The worm composes the following English message:

Subject: 

 I've got YOUR email on my account!!

Body: 

 Hello,
 First, Sorry for my very bad English!


 Someone send your private mails on my email account!
 I think it's an Mail-Provider or SMTP error.
 Normally, I delete such emails immediately, but in the mail-text
 is a name & adress. I think it's your name and adress.
 The sender of this mails is in the text file, too.


 In the last 8 days i've got 7 mails in my mail-box, but the
 recipient are you, not me. lol


 OK, I've copied all email text in the Windows Text-Editor and
 i've zipped the text file with WinZip.


 bye

Attachment: 

 email_text.zip
or 
 text.zip

The ZIP archive sent by the worm contains the worm's executable file with the following name: 

 mail_text-info.txt  <lots of spaces>   .pif

The worm does not use any exploits to start its file automatically on a recipient's system.

Deactivation

The worm does not infect a computer if the file with the 'stopruns.zhz' name is found in Windows System folder.

Back to the Top


Detection

Sober.J worm is detected with the following FSAV updates:

Version=2005-01-31_01

Back to the Top


Technical Details: Alexey Podrezov; January 31st, 2005;

Description Modified: Alexey Podrezov; February 21st, 2005;

F-Secure Corporation