Threat Description

Sober.S

Details

Aliases: Sober.S, Email-Worm.Win32.Sober.s, Email-Worm.Win32.VB.ba, CME-151, W32.Sober.Q@mm, W32/Sober.r@MM
Category: Malware
Type:
Platform: W32

Summary



Sober.S worm started spreading on October 6th, 2005. This Sober variant sends itself as an attachment in e-mail messages with English or German texts. The worm has bugs and quite often sends broken attachments.

In addition, at about noon on October 6th, there appeared a dropper for Sober.S worm. Its description can be found here:

http://www.f-secure.com/v-descs/sober_sdr.shtml



Removal



F-Secure provides a simple disinfection utility to eliminate Sober.S worm infection. You can download this utility from our ftp or website:

ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_s_disinfect.zip

http://www.f-secure.com/tools/sober_s_disinfect.zip

The unpacked version is available here:

ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_s_disinfect.bat

http://www.f-secure.com/tools/sober_s_disinfect.bat

Disinfection instructions can be found here:

ftp://ftp.europe.f-secure.com/anti-virus/tools/sober_s_disinfect.txt

http://www.f-secure.com/tools/sober_s_disinfect.txt



Technical Details



Sober.S is written in Visual Basic. The worm's file is a UPX packed PE executable about 113 kilobytes long. The unpacked worm's file size is around 251 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.

Installation to system

When the worm's file is started it shows a fake error messagebox as a decoy:

After that it creates a subfolder named 'ConnectionStatus' in Windows folder and copies itself there as "services.exe" file.

Sober.S worm adds startup keys for the copied "services.exe" in System Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 " WinINet" = "%WinDir%\ConnectionStatus\services.exe"
 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "_WinINet" = "%WinDir%\ConnectionStatus\services.exe"


In addition the worm creates a file named "netslot.nst" in the same folder, where it stores its mime-encoded copy that will be used for spreading. Quite often the mime-encoded copy of the worm is corrupted.

Also the worm creates a few files in Windows System folder. Due to a bug in the worm's code the names of these files can look like a garbage, for example:

However on some systems the worm manages to create empty files with proper names:

nonrunso.ber
 langeinf.lin
 rubezahl.rub
 bbvmwxxf.hml
 gdfjgthv.cvq
 seppelmx.smx


These files are used to deactivate previous Sober variants. This particular Sober variant checks for the file called 'runstop.rst' and if such file is found, the worm deactivates itself.

The worm blocks access to its files and re-creates its startup keys in the Registry if they are deleted.

Spreading in E-mails

Sober.S worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

To collect e-mail addresses the worm scans files with the following extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws
 vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg
 mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas
 adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf
 doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx


The collected e-mail addresses are stored in "socket.dli" file that is created in the same folder where the main worm's executable file is located. The worm ignores e-mail addresses that contain any of the following substrings:

@www @from. smtp- @smtp. ftp. .dial. .ppp. .dip.t-dia anyone
 @gmetref sql. someone nothing you@ user@ reciver@ somebody
 secure whatever@ whoever@ anywhere yourname mustermann@
 mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca.
 abuse winrar domain. host. viren bitdefender spybot detection
 ewido. emsisoft linux @foo. winzip @example. bellcore. @arin
 @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir
 virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock


When the worm sends an e-mail to an address that contains "gmx." domain or has the domain suffix ".de", ".li", ".ch" or ".at", it composes messages in German, otherwise the worm composes messages in English.

The worm can compose the following English messages:

Subject:

I've got your mail on my account!


Body:

hello,
 First I must say, my English is very very bad! Sorry about this.
 Ok, I've got an email in my box, but this email is not for me, because,,,
 I'm not the recipient! The recipient are YOU !!!
 This must be an email provider error, but I don't know!
 I have made a Screenshot about this mail and saved in a zipped jpeg graphic file for you.
 ok then,
 bye


Attachment:

screen_photo.zip


--- OR ---

Subject:

Your new Password


Body:

Your password was successfully changed!
 Please see the attached file for detailed information.


Attachment:

pword_change.zip


--- OR ---

Subject:

Registration Confirmation


Body:

Thanks for your registration.
 Your data are saved in the zipped .doc file!


Attachment:

Regis.info.zip


In addition to English messages, the Sober.S worm can compose the following German messages:

Subject:

Bcc: Ich habe Ihre Mail erhalten!


Body:

Danke fur Ihre Mail ....
 Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, namlich an mich.
 Ich kenne sie aber nicht!
 Oder Ihr Provider hat die Mail falsch weiter geleitet!?
 Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zuruck.
 MfG
 Sender


Attachment:

Privat-Foto.zip


--- OR ---

Subject:

Fwd: Klassentreffen


Body:

hi,
 ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
 ich habe jedenfalls mal unser klassenfoto von damals mit angehangt.
 wenn du dich dort wiedererkennst, dann schreibe unbedingt zuruck!!
 wenn ich aber wieder mal die falsche person erwischt habe, dann sorry for die belastigung ;)
 liebe gruBe
 Rita


(or any of the following: Sandra, Nicole, Hannelore, Kerstin, Elke).

Attachment:

KlassenFoto.zip


--- OR ---

Subject:

Haben Sie diese Mail verschickt?


Body:

Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen Sie zu erstatten!
 Sie spinnen ja wohl! Die Mail hat meine Tochter gelesen !!!!!!!!!!!!!!
 Ich habe Ihnen "diese" Word-Text Datei zu meiner Entlastung zuruckgeschickt.
 Es ware von Vorteil, wenn Sie sich dazu au-ern wurden!!


Attachment:

Brief.zip


The worm does not use any exploits to start attachments automatically on remote systems. To get infected a user has to extract and run the worm's executable file.

Payload

The worm can download and run executable files from user accounts created on the following servers:

people.freenet.de
 scifi.pages.at
 home.pages.at
 free.pages.at
 home.arcor.de


Sober.S worm terminates applications that have the following substrings in their names:

microsoftanti
 gcas
 gcip
 giantanti
 inetupd.
 nod32kui
 nod32.
 fxsob
 avwin.
 guardgui.
 stinger
 hijack
 sober
 brfix
 fixsob
 s-t-i-n


Then the worm shows a messagebox that looks like that:



Detection


Sober.S worm is detected with the following F-Secure Anti-Virus updates:
Detection Type: PC
Database: 2005-10-06_01



Description Created: Alexey Podrezov; October 6th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More