Email-Worm:W32/Sober.P

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

Email-Worm:W32/Sober.P, Email-Worm:W32/Sober.P, Email-Worm.Win32.Sober.p

Summary

A worm that spreads via email, usually in infected executable email file attachments.

Removal

Disinfection Utility

F-Secure provides a simple disinfection utility to eliminate Sober.P worm infection. You can download this utility from our ftp site:

  • ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_p_disinfect.zip
  • ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_p_disinfect.bat (unpacked version)

Disinfection instructions can be found here:

  • ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_p_disinfect.txt

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/Sober.P was found on May 2nd, 2005. It sends itself as an attachment in email messages with English or German texts. The worm is written in Visual Basic, UPX-packed PE executable about 52 kilobytes long.

The worm sends different types of email messages with English and German texts and an attachment. The attachment is a ZIP archive containing the worm's executable.

Update on May 13th, 2005 -

Since Sober.P worm stopped its spreading, we are downgrading its Radar level.

Installation

Once run, it will display a decoy error message:

It will then drop three new files "services.exe", "csrss.exe" and "smss.exe" into the %WinDir%\Connection Wizard\Status\ folder, created by the worm. All dropped files are closely related to the original worm's binary.

Sober.P worm adds startup keys for "services.exe" in System Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run " WinStart" %WinDir%\Connection Wizard\Status\services.exe

Upon reboot, this file will start the other two executable files.

The worm also creates several files in its installation directory:

  • packed1.sbr
  • packed2.sbr
  • packed3.sbr

These files contain BASE64-encoded representation of the Worm's body. These files are used later when sending email messages.

Payload
  • free.pages.at
  • home.arcor.de
  • people.freenet.de
  • scifi.pages.at
  • home.pages.at

The following list of NTP servers are checked:

  • Rolex.PeachNet.edu
  • cuckoo.nevada.edu
  • ntp-1.ece.cmu.edu
  • ntp-sop.inria.fr
  • ntp.lth.se
  • ntp.massayonet.com.br
  • ntp.metas.ch
  • ntp.pads.ufrj.br
  • ntp1.arnes.si
  • ntp3.fau.de
  • rolex.usg.edu
  • sundial.columbia.edu
  • time-a.timefreq.bldrdoc.gov
  • time-ext.missouri.edu
  • time-server.ndo.com
  • time.kfki.hu
  • time.nist.gov
  • time.xmission.com
  • timelord.uregina.ca
  • utcnist.colorado.edu

Sober.P checks for its network connection using 'RasEnumConnections' win32 API call. If not successful, it tries to connect to several domains using TCP port 80.

The worm also queries the following list of DNS servers:

  • 165.230.99.71
  • 8.10.3.56
  • 128.135.5.5
  • 202.89.131.4
  • 219.127.89.34
  • 129.115.102.150
  • 38.9.211.2
  • 134.94.80.2
  • 130.149.2.12
  • 150.203.22.28
  • 131.215.254.100
  • 128.194.254.2
  • 4.2.2.3
  • 195.185.185.195
  • 209.68.2.46
  • 129.186.1.200
  • 198.6.1.2
  • 131.243.64.3
  • 24.93.40.33
  • 195.182.96.29
  • 192.90.162.8
  • 158.43.128.1
  • 128.35.253.3
  • 61.95.134.168
  • 200.74.214.246
  • 204.117.214.10
  • 194.25.2.129
  • 203.162.0.11
  • 210.66.241.1
  • 217.237.150.225
  • 217.237.151.161
  • 128.9.128.127
  • 151.201.0.39
  • 209.253.113.2
  • 213.239.234.108
  • 62.156.146.242
  • 207.69.188.186
  • 207.217.120.43
  • 129.187.10.25
  • 200.52.83.103
  • 129.187.16.1
  • 141.40.10.35
  • 213.218.170.6
  • 212.242.88.2
  • 193.158.124.143

One of the following domains are queried from the DNS servers:

  • microsoft.com
  • bigfoot.com
  • yahoo.com
  • t-online.de
  • google.com
  • hotmail.com

Propagation (email)

The worm sends different types of email messages with English or German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

Before spreading the worm scans files with certain extensions on all hard disks to harvest email addresses. Files with the following extensions are scanned:

  • pmr
  • phtm
  • stm
  • slk
  • inbox
  • imb
  • csv
  • bak
  • imh
  • xhtml
  • imm
  • imh
  • cms
  • nws
  • vcf
  • ctl
  • dhtm
  • cgi
  • pp
  • ppt
  • msg
  • jsp
  • oft
  • vbs
  • uin
  • ldb
  • abc
  • pst
  • cfg
  • mdw
  • mbx
  • mdx
  • mda
  • adp
  • nab
  • fdb
  • vap
  • dsp
  • ade
  • sln
  • dsw
  • mde
  • frm
  • bas
  • adr
  • cls
  • ini
  • ldif
  • log
  • mdb
  • xml
  • wsh
  • tbb
  • abx
  • abd
  • adb
  • pl
  • rtf
  • mmf
  • doc
  • ods
  • nch
  • xls
  • nsf
  • txt
  • wab
  • eml
  • hlp
  • mht
  • nfo
  • php
  • asp
  • shtml
  • dbx

While harvesting for email addresses, if one of the following substrings is present:

  • ntp-
  • ntp@
  • ntp.
  • info@
  • test@
  • @www
  • @from.
  • support
  • smtp-
  • @smtp.
  • gold-certs
  • ftp.
  • .dial.
  • .ppp.
  • anyone
  • subscribe
  • announce
  • @gmetref
  • sql.
  • someone
  • nothing
  • you@
  • user@
  • reciver@
  • somebody
  • secure
  • whatever@
  • whoever@
  • anywhere
  • yourname
  • mustermann@
  • .kundenserver.
  • mailer-daemon
  • variabel
  • noreply
  • -dav
  • law2
  • .sul.t-
  • .qmail@
  • t-ipconnect
  • t-dialin
  • ipt.aol
  • time
  • freeav
  • @ca.
  • abuse
  • winrar
  • domain.
  • host.
  • viren
  • bitdefender
  • spybot
  • detection
  • ewido.
  • emsisoft
  • linux
  • google
  • @foo.
  • winzip
  • @example.
  • bellcore.
  • @arin
  • mozilla
  • iana@
  • iana-
  • @iana
  • @avp
  • icrosoft.
  • @sophos
  • @panda
  • @kaspers
  • free-av
  • antivir
  • virus
  • verizon.
  • @ikarus.
  • @nai.
  • @messagelab
  • nlpmail01.
  • clock

then the email address collected is discarded.

Based on the domain the e-message message is being designated to, either English or German language will be used. Usually domains such as:

  • .de, gmx.de, gmx.at, gmx.net, gmx.ch

will receive messages constructed in German language.

Example messages may have subjects:

  • Re: Your Password
  • Re: Registration Confirmation
  • Re: Your email was blocked
  • Re: mailing error
  • FwD: Ihr Passwort
  • FwD: Ihre email wurde verweigert
  • FwD: Ich bin's, was zum lachen ;)
  • FwD: Glueckwunsch: Ihr WM Ticket
  • FwD: WM Ticket Verlosung
  • FwD: WM-Ticket-Auslosung

and body texts:

Account and Password Information are attached!
Visit: http://www.[collected_url].com
This is an automatically generated email Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached Attachment-Scanner: Status OK,AntiVirus: No Virus found,Server-AntiVirus: No Virus (Clean)
 Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage. *-* http://www.
*-* MailTo: PasswordHelp@

**** AntiVirus: Kein Virus gefunden **** "GMX" AntiVirus Service **** WebSite: http://www.gmx.de 

Attachments:

  • mail_info.zip
  • our_secret.zip
  • Fifa_Info-Text.zip
  • okTicket-info.zip
  • free_PassWort-Info.zip
  • LOL.zip

One example of a mail Sober.P might send is a German message promising free tickets to the soccer world championships:

Herzlichen Glueckwunsch, beim Run auf die begehrten Tickets fr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.St. Rainer Gellhaus --- Pressesprecher Jens Grittner und Gerd Graus --- FIFA Fussball-Weltmeisterschaft 2006 --- Organisationskomitee Deutschland --- Tel. 069 / 2006 - 2600 --- Jens.Grittner@ok2006.de --- Gerd.Graus@ok2006.de