Threat Description

Sober.J

Details

Aliases:Sober.J, W32/Sober.J@mm, Email-Worm.Win32.Sober.j, W32/Reblin.A@mm, Email-Worm.Win32.VB.af
Category: Malware
Type:
Platform: W32

Summary



Sober.J worm was seeded in e-mails on 31st of January 2005. It is quite similar to the previous variants.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm is written in Visual Basic. The worm's file is a UPX packed PE executable about 43 kilobytes long. The unpacked worm's file size is over 140 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.

Installation to system

When the worm's file is started it opens Write text editor with the following text as a decoy:

Then the worm installs itself to system. It copies itself to Windows System folder with a semi-randomly generated name and EXE extension. The following text strings are used to generate the file name of the worm's executable:

sys
 host
 dir
 expoler
 win
 run
 log
 32
 disc
 crypt
 data
 diag
 spool
 service
 smss32

After that the worm creates startup keys for its file in Windows Registry. The key names are also semi-randomly generated from the above given list. The following keys are created:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "<random>" = "%WinSysDir%\<random>.exe"
 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "<random>" = "%WinSysDir%\<random>.exe"

During its installation cycle the worm creates the following files in Windows System folder:

dgssxy.yoi
 sysmms32.lla
 cvqaikxt.apk
 Odin-Anon.Ger
 nonrunso.ber

These files have zero length and they are used to disable previous variants of Sober if they are installed on an infected computer.

Additionally the worm creates the following files:

dgsfzipp.gmx
 datamx.dam

The 'dgsfzipp.gmx' file is a MIME-encoded ZIP archive with the worm's file. This file will be used for spreading of the worm in e-mail messages. The 'datamx.dam' file contains e-mail addresses collected by the worm on an infected computer.

Additionally the worm creates the 'read.me' file that contains the following text:

Ist nur eine kleine Test-Version
 In diesem Sinne:
 Odin alias Anon

Spreading in e-mails

The worm sends e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable. The worm composes two different e-mail messages. Here's an example of an English message sent by the worm:

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

pmr
 phtm
 stm
 slk
 inbox
 imb
 csv
 bak
 imh
 xhtml
 imm
 imh
 cms
 nws
 vcf
 ctl
 dhtm
 cgi
 pp
 ppt
 msg
 jsp
 oft
 vbs
 uin
 ldb
 abc
 pst
 cfg
 mdw
 mbx
 mdx
 mda
 adp
 nab
 fdb
 vap
 dsp
 ade
 sln
 dsw
 mde
 frm
 bas
 adr
 cls
 ini
 ldif
 log
 mdb
 xml
 wsh
 tbb
 abx
 abd
 adb
 pl
 rtf
 mmf
 doc
 ods
 nch
 xls
 nsf
 txt
 wab
 eml
 hlp
 mht
 nfo
 php
 asp
 shtml
 dbx

The found e-mail addresses and user names are saved in the file that the worm creates in Windows System folder:

datamx.dam

When the worm is active in memory it blocks access to these files as well as to its MIME-encoded files and its executable file.

The worm ignores e-mail addresses that contain any of the following substrings:

ntp-
 ntp@
 ntp.
 info@
 test@
 office
 @www
 @from.
 support
 smtp-
 @smtp.
 gold-certs
 ftp.
 .dial.
 .ppp.
 anyone
 subscribe
 announce
 @gmetref
 sql.
 someone
 nothing
 you@
 user@
 reciver@
 somebody
 secure
 me@
 whatever@
 whoever@
 anywhere
 yourname
 mustermann@
 .kundenserver.
 mailer-daemon
 variabel
 password
 noreply
 -dav
 law2
 .sul.t-
 .qmail@
 t-ipconnect
 t-dialin
 ipt.aol
 time
 postmas
 service
 freeav
 @ca.
 abuse
 winrar
 domain.
 host.
 viren
 bitdefender
 spybot
 detection
 ewido.
 emsisoft
 linux
 google
 @foo.
 winzip
 @example.
 bellcore.
 @arin
 mozilla
 @iana
 @avp
 icrosoft.
 @sophos
 @panda
 @kaspers
 free-av
 antivir
 virus
 verizon.
 @ikarus.
 @nai.
 @messagelab
 nlpmail01.
 clock

If the worm sends infected messages to domains with suffixes '.de', '.ch', '.at', it composes a message in German, otherwise English message is composed.

The worm composes the following English message:

Subject:

I've got YOUR email on my account!!

Body:

Hello,
 First, Sorry for my very bad English!
 Someone send your private mails on my email account!
 I think it's an Mail-Provider or SMTP error.
 Normally, I delete such emails immediately, but in the mail-text
 is a name & adress. I think it's your name and adress.
 The sender of this mails is in the text file, too.
 In the last 8 days i've got 7 mails in my mail-box, but the
 recipient are you, not me. lol
 OK, I've copied all email text in the Windows Text-Editor and
 i've zipped the text file with WinZip.
 bye

Attachment:

email_text.zip

or

text.zip

The ZIP archive sent by the worm contains the worm's executable file with the following name:

mail_text-info.txt  <lots of spaces>.pif

The worm does not use any exploits to start its file automatically on a recipient's system.

Deactivation

The worm does not infect a computer if the file with the 'stopruns.zhz' name is found in Windows System folder.



Detection


Sober.J worm is detected with the following FSAV updates:
Detection Type: PC
Database: 2005-01-31_01



Description Created: Alexey Podrezov; January 31st, 2005
Description Last Modified: Alexey Podrezov; February 21st, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More