F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Sober.P

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Sober.P
ALIAS:Email-Worm.Win32.Sober.p, W32.Sober.O@mm, W32/Sober.gen@MM
SIZE:53544

Summary

Update on May 13th.

Since Sober.P worm stopped its spreading, we are downgrading its Radar level.

Sober.P email worm was found on May 2nd, 2005. It sends itself as an attachment in e-mail messages with English or German texts.

Disinfection

F-Secure provides a simple disinfection utility to eliminate Sober.P worm infection. You can download this utility from our ftp or website:

ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_p_disinfect.zip

http://www.f-secure.com/tools/sober_p_disinfect.zip

The unpacked version is available here:

ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_p_disinfect.bat

http://www.f-secure.com/tools/sober_p_disinfect.bat

Disinfection instructions can be found here:

ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_p_disinfect.txt

http://www.f-secure.com/tools/sober_p_disinfect.txt

Back to the Top


Detailed Description

The worm is written in Visual Basic, UPX-packed PE executable about 52 kilobytes long.

The worm sends different types of e-mail messages with English and German texts and an attachment. The attachment is a ZIP archive containing the worm's executable.

Installation to System

Once run, it will display a decoy error message:

It will then drop three new files "services.exe", "csrss.exe" and "smss.exe" into the %WinDir%\Connection Wizard\Status\ folder, created by the worm. All dropped files are closely related to the original worm's binary.

Sober.P worm adds startup keys for "services.exe" in System Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run " WinStart" 

  %WinDir%\Connection Wizard\Status\services.exe

Upon reboot, this file will start the other two executable files.

The worm also creates several files in its installation directory: 

  packed1.sbr
  packed2.sbr
  packed3.sbr

These files contain BASE64-encoded representation of the Worm's body. These files are used later when sending e-mail messages.

Spreading in E-mails

The worm sends different types of e-mail messages with English or German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned: 

 pmr
 phtm
 stm
 slk
 inbox
 imb
 csv
 bak
 imh
 xhtml
 imm
 imh
 cms
 nws
 vcf
 ctl
 dhtm
 cgi
 pp
 ppt
 msg
 jsp
 oft
 vbs
 uin
 ldb
 abc
 pst
 cfg
 mdw
 mbx
 mdx
 mda
 adp
 nab
 fdb
 vap
 dsp
 ade
 sln
 dsw
 mde
 frm
 bas
 adr
 cls
 ini
 ldif
 log
 mdb
 xml
 wsh
 tbb
 abx
 abd
 adb
 pl
 rtf
 mmf
 doc
 ods
 nch
 xls
 nsf
 txt
 wab
 eml
 hlp
 mht
 nfo
 php
 asp
 shtml
 dbx

While harvesting for e-mail addresses, if one of the following substrings is present: 

 ntp-
 ntp@
 ntp.
 info@
 test@
 @www
 @from.
 support
 smtp-
 @smtp.
 gold-certs
 ftp.
 .dial.
 .ppp.
 anyone
 subscribe
 announce
 @gmetref
 sql.
 someone
 nothing
 you@
 user@
 reciver@
 somebody
 secure
 whatever@
 whoever@
 anywhere
 yourname
 mustermann@
 .kundenserver.
 mailer-daemon
 variabel
 noreply
 -dav
 law2
 .sul.t-
 .qmail@
 t-ipconnect
 t-dialin
 ipt.aol
 time
 freeav
 @ca.
 abuse
 winrar
 domain.
 host.
 viren
 bitdefender
 spybot
 detection
 ewido.
 emsisoft
 linux
 google
 @foo.
 winzip
 @example.
 bellcore.
 @arin
 mozilla
 iana@
 iana-
 @iana
 @avp
 icrosoft.
 @sophos
 @panda
 @kaspers
 free-av
 antivir
 virus
 verizon.
 @ikarus.
 @nai.
 @messagelab
 nlpmail01.
 clock

then the e-mail address collected is discarded.

Depending on the domain the e-message message is being designated to, either English or German language will be used. Usually domains such as: 

 .de, gmx.de, gmx.at, gmx.net, gmx.ch

will receive messages constructed in German language.

Example messages may have subjects: 

 Re: Your Password
 Re: Registration Confirmation
 Re: Your email was blocked
 Re: mailing error
 FwD: Ihr Passwort
 FwD: Ihre E-Mail wurde verweigert
 FwD: Ich bin's, was zum lachen ;)
 FwD: Glueckwunsch: Ihr WM Ticket
 FwD: WM Ticket Verlosung
 FwD: WM-Ticket-Auslosung

and body texts: 

 Account and Password Information are attached!
 Visit: http://www.<collected_url>.com


 This is an automatically generated E-Mail Delivery Status Notification.
 Mail-Header, Mail-Body and Error Description are attached
 Attachment-Scanner: Status OK,AntiVirus: No Virus found,Server-AntiVirus: No Virus (Clean)


 Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.


 *-* http://www.<collected_url>
 *-* MailTo: PasswordHelp@<collected_url>


 **** AntiVirus: Kein Virus gefunden
 **** "GMX" AntiVirus Service
 **** WebSite: http://www.gmx.de

Attachments: 

 mail_info.zip
 our_secret.zip
 Fifa_Info-Text.zip
 okTicket-info.zip
 free_PassWort-Info.zip
 LOL.zip

One example of a mail Sober.P might send is a German message promising free tickets to the soccer world championships: 

  Herzlichen Glueckwunsch,
  beim Run auf die begehrten Tickets fr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie
  dabei.Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.


  St. Rainer Gellhaus
  --- Pressesprecher Jens Grittner und Gerd Graus
  --- FIFA Fussball-Weltmeisterschaft 2006
  --- Organisationskomitee Deutschland
  --- Tel. 069 / 2006 - 2600
  --- Jens.Grittner@ok2006.de
  --- Gerd.Graus@ok2006.de

Payload

Sober.P monitors a fixed list of NTP servers to syncronize its time. It the date is 27.4.2005 or later, it tries to download and execute file from one of the following domains: 

 free.pages.at
 home.arcor.de
 people.freenet.de
 scifi.pages.at
 home.pages.at

The following list of NTP servers are checked: 

 Rolex.PeachNet.edu
 cuckoo.nevada.edu
 ntp-1.ece.cmu.edu
 ntp-sop.inria.fr
 ntp.lth.se
 ntp.massayonet.com.br
 ntp.metas.ch
 ntp.pads.ufrj.br
 ntp1.arnes.si
 ntp3.fau.de
 rolex.usg.edu
 sundial.columbia.edu
 time-a.timefreq.bldrdoc.gov
 time-ext.missouri.edu
 time-server.ndo.com
 time.kfki.hu
 time.nist.gov
 time.xmission.com
 timelord.uregina.ca
 utcnist.colorado.edu

Sober.P checks for its network connection using 'RasEnumConnections' win32 API call. If not successful, it tries to connect to several domains using TCP port 80.

The worm also queries the following list of DNS servers: 

 165.230.99.71
 8.10.3.56
 128.135.5.5
 202.89.131.4
 219.127.89.34
 129.115.102.150
 38.9.211.2
 134.94.80.2
 130.149.2.12
 150.203.22.28
 131.215.254.100
 128.194.254.2
 4.2.2.3
 195.185.185.195
 209.68.2.46
 129.186.1.200
 198.6.1.2
 131.243.64.3
 24.93.40.33
 195.182.96.29
 192.90.162.8
 158.43.128.1
 128.35.253.3
 61.95.134.168
 200.74.214.246
 204.117.214.10
 194.25.2.129
 203.162.0.11
 210.66.241.1
 217.237.150.225
 217.237.151.161
 128.9.128.127
 151.201.0.39
 209.253.113.2
 213.239.234.108
 62.156.146.242
 207.69.188.186
 207.217.120.43
 129.187.10.25
 200.52.83.103
 129.187.16.1
 141.40.10.35
 213.218.170.6
 212.242.88.2
 193.158.124.143

One of the following domains are queried from the DNS servers: 

 microsoft.com
 bigfoot.com
 yahoo.com
 t-online.de
 google.com
 hotmail.com


Back to the Top


Detection

Sober.P worm is detected with the following FSAV update:

Version=2005-05-02_03

Back to the Top


Write-up by: Tzvetan Chaliavski; May 2nd, 2005;

Updated by: Jarkko Turkulainen; May 4th, 2005;

Updated by: Alexey Podrezov; May 16th, 2005;

F-Secure Corporation