Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Sober.K


Aliases:


Sober.K
W32/Sober.K@mm, Email-Worm.Win32.Sober.k

Malware

W32

Summary

Sober.K worm was seeded in e-mails on 21st of February 2005. It is quite similar to the previous variants. Sober.K sends itself as an attachment in e-mail messages with English or German texts.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The worm is written in Visual Basic. The worm's file is a UPX packed PE executable about 52 kilobytes long. The unpacked worm's file size is over 179 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.


Installation to system

When the worm's file is started it opens Write text editor with the following text as a decoy:

When the worm's file is run, it copies itself with 3 different names to %WinDir%\msagent\win32\ folder:

csrss.exe
 smss.exe
 winlogon.exe


These files are identical to the worm's copy except for byte at offset 0xA0. This byte is different in every dropped copy. The worm always keeps 2 of its processes in memory.

Sober.K worm adds startup keys for one of these files in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "_winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"
 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"


If these keys are deleted, the worm re-creates them after a few seconds.

Also the worm drops a few empty files to Windows System and to the main installation folder. These files are used to deactivate previous variants of the worm:

runnowso.ber
 nonrunso.ber
 stopruns.zhz


The worm creates a few data files in the main installation folder:

datamx1.dat
 datamx2.dat
 datamx3.dat
 goto1.dat
 goto2.dat
 goto3.dat
 zippedso1.ber
 zippedso2.ber
 zippedso3.ber


The 'datamx' and 'goto' files are used to store e-mail addresses collected from an infected computer's hard drive. The other 3 files are used to store the ZIPped worm's copy (it will be used for spreading).

Also the worm drops the 'read.me' file to Windows folder. This file contains the following text:

Ist eine weitere Test-Version. Lauft nur ein paar Tage!
 In diesem Sinne:
 Odin alias Anon



Spreading in E-mails

The worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable. Here's a screenshot of an infected message sent by the worm:

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

pmr
 phtm
 stm
 slk
 inbox
 imb
 csv
 bak
 imh
 xhtml
 imm
 imh
 cms
 nws
 vcf
 ctl
 dhtm
 cgi
 pp
 ppt
 msg
 jsp
 oft
 vbs
 uin
 ldb
 abc
 pst
 cfg
 mdw
 mbx
 mdx
 mda
 adp
 nab
 fdb
 vap
 dsp
 ade
 sln
 dsw
 mde
 frm
 bas
 adr
 cls
 ini
 ldif
 log
 mdb
 xml
 wsh
 tbb
 abx
 abd
 adb
 pl
 rtf
 mmf
 doc
 ods
 nch
 xls
 nsf
 txt
 wab
 eml
 hlp
 mht
 nfo
 php
 asp
 shtml
 dbx


The found e-mail addresses are saved into 6 files that the worm creates in its main installation folder:

datamx1.dat
 datamx2.dat
 datamx3.dat
 goto1.dat
 goto2.dat
 goto3.dat


When the worm is active in memory it blocks access to these files as well as to its MIME-encoded files and all 3 executable files.

The worm ignores e-mail addresses that contain any of the following substrings:

ntp-
 ntp@
 ntp.
 info@
 test@
 @www
 @from.
 support
 smtp-
 @smtp.
 gold-certs
 ftp.
 .dial.
 .ppp.
 anyone
 subscribe
 announce
 @gmetref
 sql.
 someone
 nothing
 you@
 user@
 reciver@
 somebody
 secure
 whatever@
 whoever@
 anywhere
 yourname
 mustermann@
 .kundenserver.
 mailer-daemon
 variabel
 noreply
 -dav
 law2
 .sul.t-
 .qmail@
 t-ipconnect
 t-dialin
 ipt.aol
 time
 freeav
 @ca.
 abuse
 winrar
 domain.
 host.
 viren
 bitdefender
 spybot
 detection
 ewido.
 emsisoft
 linux
 google
 @foo.
 winzip
 @example.
 bellcore.
 @arin
 mozilla
 iana@
 iana-
 @iana
 @avp
 icrosoft.
 @sophos
 @panda
 @kaspers
 free-av
 antivir
 virus
 verizon.
 @ikarus.
 @nai.
 @messagelab
 nlpmail01.
 clock


The worm composes e-mails with both English and German texts. If the worm sends infected messages to domains with suffixes '.de', '.ch', '.at' and also to 'gmx.' domain, it composes messages in German, otherwise English messages are composed.

The worm composes the following English messages:

Subjects:

Your new Password
 Mail_delivery_failed
 Paris Hilton, pure!
 Alert! New Sober Worm!
 You visit illegal websites


Senders:

service
 webmaster
 register
 hostmaster
 postmaster
 police
 Officer
 Admin
 Web
 FBI
 Michele@yahoo.com
 Melanie@yahoo.com
 security@microsoft.com


Body texts:

Thanks for your registration!
 We have received your payment.
 For more detailed information, read the attached text.


---- or ----

This is an automatically generated Delivery Status Notification.
 ESMTP Error []
 I'm afraid I wasn't able to deliver your message.
 This is a permanent error; I've given up. Sorry it didn't work out.
 The full mail-text and header is attached


---- or ----

More than 50 HOT Hilton Videos
 More than 3000 Hilton picks
 FREE Download until April, 2005
 Make your own Download Account, it's free!
 Further details are attached
 Thanks & have fun ;)


---- or ----

ATTENTION!
 Antivirus vendors are warning of a new variant of the Sober
 virus discovered today that can delete the hard disk.
 Protection:
 Download and read the zipped patch. It's very easy to install!
 Thanks for your cooperation!
 --- (c)2005 Microsoft Corporation. All rights reserved
 --- Microsoft Corporation
 --- One Microsoft Way
 --- Redmond, Washington 98052-6399


---- or ----

Dear Sir/Madam,
 we have logged your IP-address on more than 40 illegal Websites.
 Important: Please answer our questions!
 The list of questions are attached.
 Yours faithfully,
 M. John Stellford
 ++-++ Federal Bureau of Investigation -FBI-
 ++-++ 935 Pennsylvania Avenue, NW, Room 2130
 ++-++ Washington, DC 20535
 ++-++ (202) 324-3000


Attachments:

text.zip
 register_<random>.zip
 header_<random>.zip
 register.zip
 text_<random>.zip
 help-text.zip
 patch_<random>.zip
 indictment_cit.zip
 text-<random>.zip


where &lt;random&gt; is a randomly generated number. The attachment name can be a combination of the above given file names as well.

The worm can add a fake anti-virus scanning report to its infected messages:

Attachment: No Virus found


---- or ----

Mail-Scanner: No Virus detected


---- or ----

AntiVirus: Found to be clean


Followed by:

*-* <domain> Anti-Virus Service
 *-* http://www.<domain>


where &lt;domain&gt; is the domain name of a recipient.

The worm composes the following German messages:

Subjects:

Ihr Passwort wurde geaendert
 Ihr neues Passwort
 EMail-Empfang fehlgeschlagen
 Paris Hilton Nackt!
 Paris Hilton SexVideos
 Seitensprung gesucht?
 Vorsicht! Neuer Sober Wurm!


Senders:

Service
 Webmaster
 Register
 Hostmaster
 Postmaster
 Michele@yahoo.com
 Melanie@yahoo.com
 security@microsoft.com


Body texts:

## Diese E-Mail wurde automatisch generiert
 ## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
 ## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde
 ---------------
 Ihr neues Passwort und weiter Informationen befinden sich im beigefuegten Dokument.
 **** Ein Service von
 **** http://www.<domain>
 **** Mail: Help-Line


---- or ----

Vielen Dank, dass Sie sich bei registriert haben.
 Der Betrag von ,- Euro ist erfolgreich auf unserem Konto eingegangen.
 Passwort, Benutzername und weitere wichtige Informationen zu ihrem neuen Account
 befinden sich im angehefteten Dokument.
 Hochachtungsvoll
 Silvia Hochberger


---- or ----

- System Mail -
 Diese an ihnen gerichtete E-Mail, wurde in einem falschen Format gesendet.
 Der Betreff, Header und Text dieser Mail, wurde deshalb separat in einer Text-Datei gespeichert und gezippt.
 Vielen Dank fuer Ihr Verstaendnis
 [System auto- mail]


---- or ----

Guten Tag,
 mehr als 50 Videos,
 Mehr als 1000 heisse Fotos
 und mehr als 300 original Sounds von der kleinen Hilton ........ .
 Alles frei zum Download, aber nur bis zum 01 April 2005 !!!
 Weitere Details entnehmen Sie bitte dem vorliegendem Dokument.
 Vielen Dank!


---- or ----

Hallo,
 wir hoffen das Ihnen die Betreffszeile unsere Mail genug sagt.
 Der Jugendschutz verbietet uns leider mehr Auskunft ueber unser Angebot zu geben.
 Informationen,,,, wie Sie sich bei uns anmelden koennen befinden sich im beigefuegten Dokument.
 Natuerlich ist die Anmeldung
 Kostenlos!
 Mehr als 2.5 Millionen registrierte Benutzer!!!
 Da ist fuer jeden was dabei!
 Auf Wiedersehen


---- or ----

Wichtige Information!
 Eine neue Sober-Variante verbreitet sich derzeit im Internet.
 Wie seine Vorgaenger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
 Es wird deshalb empfohlen, das Patch-Tool auszufuehren um sich vor diesem Wurm zu schuetzen bzw. diesen wieder
 zu entfernen.
 --- (c)2005 Microsoft Corporation. Alle Rechte vorbehalten
 --- Vertretungsberechtigter: Juergen Gallmann
 --- E-Mail Adresse: security@microsoft.com


Attachments:

PSW-Text.zip
 zipped-text.zip
 zipped-mail.zip
 Register-Info.zip
 Formular.zip
 Tool.zip
 Patch-<random>.zip


where &lt;random&gt; is a randomly generated number.

The worm can add a fake anti-virus scanning report to its infected messages:

Anhang Scanner: Kein Virus enthalten


---- or ----

Mail Scanner: Kein Virus gefunden


---- or ----

AntiVirus System: No Virus found


Followed by:

*-* <domain> Anti-Virus Service
 *-* http://www.<domain>


where &lt;domain&gt; is the domain name of a recipient.

The worm does not use any exploits to start its file automatically on a recipient's system.


Deactivation

The worm does not infect a computer if the file with the 'xcvfpokd.tqa' name is present on a hard drive.



Detection

Sober.K worm is detected with the following FSAV updates:

Detection Type: PC
Database: 2005-02-21_01



Description Created: Alexey Podrezov; February 21st, 2005
Description Last Modified: Alexey Podrezov; February 23rd, 2005



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.