Threat Description

Sober.N

Details

Aliases: Sober.N, Email-Worm.Win32.VB.aj, W32.Sober.N@mm, W32/Sober.o@MM
Category: Malware
Type: Worm
Platform: W32

Summary



Sober.N email worm was found on 19th of April, 2005. It sends itself as an attachment in e-mail messages with English or German texts.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The worm is written in Visual Basic. The worm's file is a modified UPX packed PE executable about 73 kilobytes long.

The worm sends different types of e-mail messages with English and German texts and an attachment. The attachment is a ZIP archive containing the worm's executable.

The worm composes messages with subject lines such as "I've_got your EMail on my_account!" and "FwD: Ich bin's nochmal" with attachments such as your_text.zip.

Installation to system

When the worm's file is started it opens text editor with the following text as a decoy:

When the worm's file is run, it copies itself as "services.exe" into the %WinDir%\Config\system\ folder, created by the worm.

Sober.N worm adds startup keys for "services.exe" in System Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "SystemCheck" = "%WinDir%\Config\system\services.exe"
 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "_SystemCheck" = "%WinDir%\Config\system\services.exe"


The worm also creates the following files to installation folder:

zipped.wrm
 maddys.xyz


'zipped.wrm' contains base64-encoded worm, used in spreading. 'maddsys.xyz' is used to store email addresses.

The worm also writes the following files to system folder:

nonrunso.ber
 langeinf.lin
 adcmmmmq.hjg
 xcvfpokd.tqa


These files are used to deactivate previous variants of the worm.

Spreading in E-mails

The worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

pmr
 phtm
 stm
 slk
 inbox
 imb
 csv
 bak
 imh
 xhtml
 imm
 imh
 cms
 nws
 vcf
 ctl
 dhtm
 cgi
 pp
 ppt
 msg
 jsp
 oft
 vbs
 uin
 ldb
 abc
 pst
 cfg
 mdw
 mbx
 mdx
 mda
 adp
 nab
 fdb
 vap
 dsp
 ade
 sln
 dsw
 mde
 frm
 bas
 adr
 cls
 ini
 ldif
 log
 mdb
 xml
 wsh
 tbb
 abx
 abd
 adb
 pl
 rtf
 mmf
 doc
 ods
 nch
 xls
 nsf
 txt
 wab
 eml
 hlp
 mht
 nfo
 php
 asp
 shtml
 dbx


The worm ignores e-mail addresses that contain any of the following substrings:

@www
 @from.
 smtp-
 @smtp.
 ftp.
 .dial.
 .ppp.
 anyone
 @gmetref
 sql.
 someone
 nothing
 you@
 user@
 reciver@
 somebody
 secure
 whatever@
 whoever@
 anywhere
 yourname
 mustermann@
 mailer-daemon
 variabel
 noreply
 -dav
 law2
 .qmail@
 freeav
 @ca.
 abuse
 winrar
 domain.
 host.
 viren
 bitdefender
 spybot
 detection
 ewido.
 emsisoft
 linux
 @foo.
 winzip
 @example.
 bellcore.
 @arin
 @iana
 @avp
 icrosoft.
 @sophos
 @panda
 @kaspers
 free-av
 antivir
 virus
 verizon.
 @ikarus.
 @nai.
 @messagelab
 nlpmail01.
 clock


The worm composes e-mails with both English and German texts. If the worm sends infected messages to domains with suffixes '.de', '.ch', '.at', '.li' and also to 'gmx.' domain, it composes messages in German, otherwise English messages are composed.

The worm composes the following messages:

Subjects:

I've_got your EMail on my_account!
 FwD: Ich bin's nochmal


Body texts:

Hello,
 First, Very Sorry for my bad English.
 Someone is sending your private e-mails on my address.
 It's probably an e-mail provider error!
 At time, I've got over 10 mails on my account, but the recipient are you.
 I have copied all the mail text in the windows text-editor for you & zipped then.
 Make sure, that this mails don't come in my mail-box again.
 bye
 Verdammt,,,,
 ich hatte vergessen Dir meinen Text mitzuschicken.
 Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!
 Ich melde mich.
 Bis bald ;)


Attachments:

your_text.zip
 Private-Texte.zip


The actual worm executable name inside the attachement is 'mail.document.Datex-packed.exe'.



Detection


Sober.N worm is detected with the following FSAV updates:
Detection Type: PC
Database: 2005-04-19_01



Description Created: Mikko Hypponen; April 19th, 2005
Technical Details: Jarkko Turkulainen; April 19th, 2005
Description Last Modified: Jarkko Turkulainen; April 20th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More