Threat Description

Sober.K

Details

Aliases:Sober.K, W32/Sober.K@mm, Email-Worm.Win32.Sober.k
Category: Malware
Type:
Platform: W32

Summary



Sober.K worm was seeded in e-mails on 21st of February 2005. It is quite similar to the previous variants. Sober.K sends itself as an attachment in e-mail messages with English or German texts.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm is written in Visual Basic. The worm's file is a UPX packed PE executable about 52 kilobytes long. The unpacked worm's file size is over 179 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.

Installation to system

When the worm's file is started it opens Write text editor with the following text as a decoy:

When the worm's file is run, it copies itself with 3 different names to %WinDir%\msagent\win32\ folder:

csrss.exe
 smss.exe
 winlogon.exe

These files are identical to the worm's copy except for byte at offset 0xA0. This byte is different in every dropped copy. The worm always keeps 2 of its processes in memory.

Sober.K worm adds startup keys for one of these files in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "_winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"
 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"

If these keys are deleted, the worm re-creates them after a few seconds.

Also the worm drops a few empty files to Windows System and to the main installation folder. These files are used to deactivate previous variants of the worm:

runnowso.ber
 nonrunso.ber
 stopruns.zhz

The worm creates a few data files in the main installation folder:

datamx1.dat
 datamx2.dat
 datamx3.dat
 goto1.dat
 goto2.dat
 goto3.dat
 zippedso1.ber
 zippedso2.ber
 zippedso3.ber

The 'datamx' and 'goto' files are used to store e-mail addresses collected from an infected computer's hard drive. The other 3 files are used to store the ZIPped worm's copy (it will be used for spreading).

Also the worm drops the 'read.me' file to Windows folder. This file contains the following text:

Ist eine weitere Test-Version. Lauft nur ein paar Tage!
 In diesem Sinne:
 Odin alias Anon

Spreading in E-mails

The worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable. Here's a screenshot of an infected message sent by the worm:

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

pmr
 phtm
 stm
 slk
 inbox
 imb
 csv
 bak
 imh
 xhtml
 imm
 imh
 cms
 nws
 vcf
 ctl
 dhtm
 cgi
 pp
 ppt
 msg
 jsp
 oft
 vbs
 uin
 ldb
 abc
 pst
 cfg
 mdw
 mbx
 mdx
 mda
 adp
 nab
 fdb
 vap
 dsp
 ade
 sln
 dsw
 mde
 frm
 bas
 adr
 cls
 ini
 ldif
 log
 mdb
 xml
 wsh
 tbb
 abx
 abd
 adb
 pl
 rtf
 mmf
 doc
 ods
 nch
 xls
 nsf
 txt
 wab
 eml
 hlp
 mht
 nfo
 php
 asp
 shtml
 dbx

The found e-mail addresses are saved into 6 files that the worm creates in its main installation folder:

datamx1.dat
 datamx2.dat
 datamx3.dat
 goto1.dat
 goto2.dat
 goto3.dat

When the worm is active in memory it blocks access to these files as well as to its MIME-encoded files and all 3 executable files.

The worm ignores e-mail addresses that contain any of the following substrings:

ntp-
 ntp@
 ntp.
 info@
 test@
 @www
 @from.
 support
 smtp-
 @smtp.
 gold-certs
 ftp.
 .dial.
 .ppp.
 anyone
 subscribe
 announce
 @gmetref
 sql.
 someone
 nothing
 you@
 user@
 reciver@
 somebody
 secure
 whatever@
 whoever@
 anywhere
 yourname
 mustermann@
 .kundenserver.
 mailer-daemon
 variabel
 noreply
 -dav
 law2
 .sul.t-
 .qmail@
 t-ipconnect
 t-dialin
 ipt.aol
 time
 freeav
 @ca.
 abuse
 winrar
 domain.
 host.
 viren
 bitdefender
 spybot
 detection
 ewido.
 emsisoft
 linux
 google
 @foo.
 winzip
 @example.
 bellcore.
 @arin
 mozilla
 iana@
 iana-
 @iana
 @avp
 icrosoft.
 @sophos
 @panda
 @kaspers
 free-av
 antivir
 virus
 verizon.
 @ikarus.
 @nai.
 @messagelab
 nlpmail01.
 clock

The worm composes e-mails with both English and German texts. If the worm sends infected messages to domains with suffixes '.de', '.ch', '.at' and also to 'gmx.' domain, it composes messages in German, otherwise English messages are composed.

The worm composes the following English messages:

Subjects:

Your new Password
 Mail_delivery_failed
 Paris Hilton, pure!
 Alert! New Sober Worm!
 You visit illegal websites

Senders:

service
 webmaster
 register
 hostmaster
 postmaster
 police
 Officer
 Admin
 Web
 FBI
 Michele@yahoo.com
 Melanie@yahoo.com
 security@microsoft.com

Body texts:

Thanks for your registration!
 We have received your payment.
 For more detailed information, read the attached text.

---- or ----

This is an automatically generated Delivery Status Notification.
 ESMTP Error []
 I'm afraid I wasn't able to deliver your message.
 This is a permanent error; I've given up. Sorry it didn't work out.
 The full mail-text and header is attached

---- or ----

More than 50 HOT Hilton Videos
 More than 3000 Hilton picks
 FREE Download until April, 2005
 Make your own Download Account, it's free!
 Further details are attached
 Thanks & have fun ;)

---- or ----

ATTENTION!
 Antivirus vendors are warning of a new variant of the Sober
 virus discovered today that can delete the hard disk.
 Protection:
 Download and read the zipped patch. It's very easy to install!
 Thanks for your cooperation!
 --- (c)2005 Microsoft Corporation. All rights reserved
 --- Microsoft Corporation
 --- One Microsoft Way
 --- Redmond, Washington 98052-6399

---- or ----

Dear Sir/Madam,
 we have logged your IP-address on more than 40 illegal Websites.
 Important: Please answer our questions!
 The list of questions are attached.
 Yours faithfully,
 M. John Stellford
 ++-++ Federal Bureau of Investigation -FBI-
 ++-++ 935 Pennsylvania Avenue, NW, Room 2130
 ++-++ Washington, DC 20535
 ++-++ (202) 324-3000

Attachments:

text.zip
 register_<random>.zip
 header_<random>.zip
 register.zip
 text_<random>.zip
 help-text.zip
 patch_<random>.zip
 indictment_cit.zip
 text-<random>.zip

where &lt;random&gt; is a randomly generated number. The attachment name can be a combination of the above given file names as well.

The worm can add a fake anti-virus scanning report to its infected messages:

Attachment: No Virus found

---- or ----

Mail-Scanner: No Virus detected

---- or ----

AntiVirus: Found to be clean

Followed by:

*-* <domain> Anti-Virus Service
 *-* http://www.<domain>

where &lt;domain&gt; is the domain name of a recipient.

The worm composes the following German messages:

Subjects:

Ihr Passwort wurde geaendert
 Ihr neues Passwort
 EMail-Empfang fehlgeschlagen
 Paris Hilton Nackt!
 Paris Hilton SexVideos
 Seitensprung gesucht?
 Vorsicht! Neuer Sober Wurm!

Senders:

Service
 Webmaster
 Register
 Hostmaster
 Postmaster
 Michele@yahoo.com
 Melanie@yahoo.com
 security@microsoft.com

Body texts:

## Diese E-Mail wurde automatisch generiert
 ## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
 ## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde
 ---------------
 Ihr neues Passwort und weiter Informationen befinden sich im beigefuegten Dokument.
 **** Ein Service von
 **** http://www.<domain>
 **** Mail: Help-Line

---- or ----

Vielen Dank, dass Sie sich bei registriert haben.
 Der Betrag von ,- Euro ist erfolgreich auf unserem Konto eingegangen.
 Passwort, Benutzername und weitere wichtige Informationen zu ihrem neuen Account
 befinden sich im angehefteten Dokument.
 Hochachtungsvoll
 Silvia Hochberger

---- or ----

- System Mail -
 Diese an ihnen gerichtete E-Mail, wurde in einem falschen Format gesendet.
 Der Betreff, Header und Text dieser Mail, wurde deshalb separat in einer Text-Datei gespeichert und gezippt.
 Vielen Dank fuer Ihr Verstaendnis
 [System auto- mail]

---- or ----

Guten Tag,
 mehr als 50 Videos,
 Mehr als 1000 heisse Fotos
 und mehr als 300 original Sounds von der kleinen Hilton ........ .
 Alles frei zum Download, aber nur bis zum 01 April 2005 !!!
 Weitere Details entnehmen Sie bitte dem vorliegendem Dokument.
 Vielen Dank!

---- or ----

Hallo,
 wir hoffen das Ihnen die Betreffszeile unsere Mail genug sagt.
 Der Jugendschutz verbietet uns leider mehr Auskunft ueber unser Angebot zu geben.
 Informationen,,,, wie Sie sich bei uns anmelden koennen befinden sich im beigefuegten Dokument.
 Natuerlich ist die Anmeldung
 Kostenlos!
 Mehr als 2.5 Millionen registrierte Benutzer!!!
 Da ist fuer jeden was dabei!
 Auf Wiedersehen

---- or ----

Wichtige Information!
 Eine neue Sober-Variante verbreitet sich derzeit im Internet.
 Wie seine Vorgaenger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
 Es wird deshalb empfohlen, das Patch-Tool auszufuehren um sich vor diesem Wurm zu schuetzen bzw. diesen wieder
 zu entfernen.
 --- (c)2005 Microsoft Corporation. Alle Rechte vorbehalten
 --- Vertretungsberechtigter: Juergen Gallmann
 --- E-Mail Adresse: security@microsoft.com

Attachments:

PSW-Text.zip
 zipped-text.zip
 zipped-mail.zip
 Register-Info.zip
 Formular.zip
 Tool.zip
 Patch-<random>.zip

where &lt;random&gt; is a randomly generated number.

The worm can add a fake anti-virus scanning report to its infected messages:

Anhang Scanner: Kein Virus enthalten

---- or ----

Mail Scanner: Kein Virus gefunden

---- or ----

AntiVirus System: No Virus found

Followed by:

*-* <domain> Anti-Virus Service
 *-* http://www.<domain>

where &lt;domain&gt; is the domain name of a recipient.

The worm does not use any exploits to start its file automatically on a recipient's system.

Deactivation

The worm does not infect a computer if the file with the 'xcvfpokd.tqa' name is present on a hard drive.



Detection


Sober.K worm is detected with the following FSAV updates:
Detection Type: PC
Database: 2005-02-21_01



Description Created: Alexey Podrezov; February 21st, 2005
Description Last Modified: Alexey Podrezov; February 23rd, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More