F-Secure Virus Descriptions : Sober.K
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | Sober.K |
| ALIAS: | W32/Sober.K@mm, Email-Worm.Win32.Sober.k |
Sober.K worm was seeded in e-mails on 21st of February 2005. It
is quite similar to the previous variants. Sober.K sends itself
as an attachment in e-mail messages with English or German texts.
The worm is written in Visual Basic. The worm's file is a UPX
packed PE executable about 52 kilobytes long. The unpacked worm's
file size is over 179 kilobytes. The worm adds random garbage to
the end of its file every time it installs itself on a computer.
Installation to System
When the worm's file is started it opens Write text editor with
the following text as a decoy:
When the worm's file is run, it copies itself with 3 different
names to %WinDir%\msagent\win32\ folder:
csrss.exe
smss.exe
winlogon.exe
These files are identical to the worm's copy except for byte at
offset 0xA0. This byte is different in every dropped copy. The
worm always keeps 2 of its processes in memory.
Sober.K worm adds startup keys for one of these files in System
Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"_winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"
If these keys are deleted, the worm re-creates them after a few
seconds.
Also the worm drops a few empty files to Windows System and to
the main installation folder. These files are used to deactivate
previous variants of the worm:
runnowso.ber
nonrunso.ber
stopruns.zhz
The worm creates a few data files in the main installation
folder:
datamx1.dat
datamx2.dat
datamx3.dat
goto1.dat
goto2.dat
goto3.dat
zippedso1.ber
zippedso2.ber
zippedso3.ber
The 'datamx' and 'goto' files are used to store e-mail addresses
collected from an infected computer's hard drive. The other 3
files are used to store the ZIPped worm's copy (it will be used
for spreading).
Also the worm drops the 'read.me' file to Windows folder. This
file contains the following text:
Ist eine weitere Test-Version. Lauft nur ein paar Tage!
In diesem Sinne:
Odin alias Anon
Spreading in E-mails
The worm sends different types of e-mail messages with English
and German texts and its file attached. The attachment is a ZIP
archive containing the worm's executable. Here's a screenshot
of an infected message sent by the worm:
Before spreading the worm scans files with certain extensions on
all hard disks to harvest e-mail addresses. Files with the
following extensions are scanned:
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
The found e-mail addresses are saved into 6 files that the worm
creates in its main installation folder:
datamx1.dat
datamx2.dat
datamx3.dat
goto1.dat
goto2.dat
goto3.dat
When the worm is active in memory it blocks access to these files
as well as to its MIME-encoded files and all 3 executable files.
The worm ignores e-mail addresses that contain any of the
following substrings:
ntp-
ntp@
ntp.
info@
test@
@www
@from.
support
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
noreply
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@example.
bellcore.
@arin
mozilla
iana@
iana-
@iana
@avp
icrosoft.
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock
The worm composes e-mails with both English and German texts. If
the worm sends infected messages to domains with suffixes '.de',
'.ch', '.at' and also to 'gmx.' domain, it composes messages in
German, otherwise English messages are composed.
The worm composes the following English messages:
Subjects:
Your new Password
Mail_delivery_failed
Paris Hilton, pure!
Alert! New Sober Worm!
You visit illegal websites
Senders:
service
webmaster
register
hostmaster
postmaster
police
Officer
Admin
Web
FBI
Michele@yahoo.com
Melanie@yahoo.com
security@microsoft.com
Body texts:
Thanks for your registration!
We have received your payment.
For more detailed information, read the attached text.
---- or ----
This is an automatically generated Delivery Status Notification.
ESMTP Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached
---- or ----
More than 50 HOT Hilton Videos
More than 3000 Hilton picks
FREE Download until April, 2005
Make your own Download Account, it's free!
Further details are attached
Thanks & have fun ;)
---- or ----
ATTENTION!
Antivirus vendors are warning of a new variant of the Sober
virus discovered today that can delete the hard disk.
Protection:
Download and read the zipped patch. It's very easy to install!
Thanks for your cooperation!
--- (c)2005 Microsoft Corporation. All rights reserved
--- Microsoft Corporation
--- One Microsoft Way
--- Redmond, Washington 98052-6399
---- or ----
Dear Sir/Madam,
we have logged your IP-address on more than 40 illegal Websites.
Important: Please answer our questions!
The list of questions are attached.
Yours faithfully,
M. John Stellford
++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ Washington, DC 20535
++-++ (202) 324-3000
Attachments:
text.zip
register_<random>.zip
header_<random>.zip
register.zip
text_<random>.zip
help-text.zip
patch_<random>.zip
indictment_cit.zip
text-<random>.zip
where <random> is a randomly generated number. The attachment
name can be a combination of the above given file names as well.
The worm can add a fake anti-virus scanning report to its
infected messages:
Attachment: No Virus found
---- or ----
Mail-Scanner: No Virus detected
---- or ----
AntiVirus: Found to be clean
Followed by:
*-* <domain> Anti-Virus Service
*-* http://www.<domain>
where <domain> is the domain name of a recipient.
The worm composes the following German messages:
Subjects:
Ihr Passwort wurde geaendert
Ihr neues Passwort
EMail-Empfang fehlgeschlagen
Paris Hilton Nackt!
Paris Hilton SexVideos
Seitensprung gesucht?
Vorsicht! Neuer Sober Wurm!
Senders:
Service
Webmaster
Register
Hostmaster
Postmaster
Michele@yahoo.com
Melanie@yahoo.com
security@microsoft.com
Body texts:
## Diese E-Mail wurde automatisch generiert
## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde
---------------
Ihr neues Passwort und weiter Informationen befinden sich im beigefuegten Dokument.
**** Ein Service von
**** http://www.<domain>
**** Mail: Help-Line
---- or ----
Vielen Dank, dass Sie sich bei registriert haben.
Der Betrag von ,- Euro ist erfolgreich auf unserem Konto eingegangen.
Passwort, Benutzername und weitere wichtige Informationen zu ihrem neuen Account
befinden sich im angehefteten Dokument.
Hochachtungsvoll
Silvia Hochberger
---- or ----
- System Mail -
Diese an ihnen gerichtete E-Mail, wurde in einem falschen Format gesendet.
Der Betreff, Header und Text dieser Mail, wurde deshalb separat in einer Text-Datei gespeichert und gezippt.
Vielen Dank fuer Ihr Verstaendnis
[System auto- mail]
---- or ----
Guten Tag,
mehr als 50 Videos,
Mehr als 1000 heisse Fotos
und mehr als 300 original Sounds von der kleinen Hilton ........ .
Alles frei zum Download, aber nur bis zum 01 April 2005 !!!
Weitere Details entnehmen Sie bitte dem vorliegendem Dokument.
Vielen Dank!
---- or ----
Hallo,
wir hoffen das Ihnen die Betreffszeile unsere Mail genug sagt.
Der Jugendschutz verbietet uns leider mehr Auskunft ueber unser Angebot zu geben.
Informationen,,,, wie Sie sich bei uns anmelden koennen befinden sich im beigefuegten Dokument.
Natuerlich ist die Anmeldung
Kostenlos!
Mehr als 2.5 Millionen registrierte Benutzer!!!
Da ist fuer jeden was dabei!
Auf Wiedersehen
---- or ----
Wichtige Information!
Eine neue Sober-Variante verbreitet sich derzeit im Internet.
Wie seine Vorgaenger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
Es wird deshalb empfohlen, das Patch-Tool auszufuehren um sich vor diesem Wurm zu schuetzen bzw. diesen wieder
zu entfernen.
--- (c)2005 Microsoft Corporation. Alle Rechte vorbehalten
--- Vertretungsberechtigter: Juergen Gallmann
--- E-Mail Adresse: security@microsoft.com
Attachments:
PSW-Text.zip
zipped-text.zip
zipped-mail.zip
Register-Info.zip
Formular.zip
Tool.zip
Patch-<random>.zip
where <random> is a randomly generated number.
The worm can add a fake anti-virus scanning report to its
infected messages:
Anhang Scanner: Kein Virus enthalten
---- or ----
Mail Scanner: Kein Virus gefunden
---- or ----
AntiVirus System: No Virus found
Followed by:
*-* <domain> Anti-Virus Service
*-* http://www.<domain>
where <domain> is the domain name of a recipient.
The worm does not use any exploits to start its file
automatically on a recipient's system.
Deactivation
The worm does not infect a computer if the file with the
'xcvfpokd.tqa' name is present on a hard drive.
Sober.K worm is detected with the following FSAV updates:
Version=2005-02-21_01
Technical Details:
Alexey Podrezov; February 21st, 2005;
Description Updated:
Alexey Podrezov; February 23rd, 2005;
F-Secure Corporation
|
