F-Secure Virus Information Pages : Sober.T THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR. Radar Alert LEVEL 2 [Summary] | [Detailed Description] Name: Sober.T Alias: Email-Worm.Win32.Sober.t, W32.Sober.T@mm Category: Virus Date of Discovery: November 14, 2005 Summary The Sober.T worm was found on November 14th, 2005. This Sober variant is similar to the previous ones - it sends itself as an attachment in e-mail messages with English or German texts. Detailed Description Sober.T is written in Visual Basic. The worm's file is a UPX packed PE executable about 130 kilobytes long. The unpacked worm's file size is around 266 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer. This time the author of Sober worm changed the encryption algorithm for text strings in the worm's body. And he included a message for anti-virus vendors in the worm's body basically saying that 'Use your debuggers, it's fun'. Well it takes rather short time to reverse engineer the algorithm and to write a decoding script... Installation to System After being run by a user the worm creates subfolders named 'ConnectionStatus\Microsoft\' in Windows folder and copies itself there as "services.exe" file. The worm then adds startup keys for the copied "services.exe" file into System Registry: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] " WinCheck" = "%WinDir%\ConnectionStatus\Microsoft\services.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "_WinCheck" = "%WinDir%\ConnectionStatus\Microsoft\services.exe" The Sober.T worm creates a few empty files in Windows System folder with the following names: nonrunso.ber langeinf.lin runstop.rst rubezahl.rub bbvmwxxf.hml gdfjgthv.cvq These files are used to deactivate previous Sober variants. This particular Sober variant checks for the file called 'filesms.fms' and if such file is found, the worm deactivates itself. The worm blocks access to its files and re-creates its startup keys in the Registry if they are deleted. Spreading in E-mails Sober.T worm sends e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable. To collect e-mail addresses the worm scans files with the following extensions: pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx The collected e-mail addresses are stored in "concon.www" file that is created in the same folder where the main worm's executable file is located. The worm ignores e-mail addresses if they contain any of the following strings: @www @from. smtp- @smtp. ftp. .dial. .ppp. .dip.t-dia anyone @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock When the worm sends an e-mail to an address that contains "gmx." domain or has the domain suffix ".de", ".li", ".ch" or ".at", it composes messages in German, otherwise the worm composes messages in English. The worm sends the following messages: Subject: Haben Sie diese EMail verschickt? Body: Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen Sie zu erstatten! Sie spinnen ja wohl! Die E-Mail hat meine Tochter gelesen!!!!!! Ich habe Ihnen Word-Text Datei zu meiner Entlastung zurueckgeschickt. Es waere von Vorteil, wenn Sie sich dazu aeussern wuerden!! Attachment name starts with: Word-Text ---- OR ---- Subject: Registration Confirmation Body: Thanks for your registration. Your data are saved in the zipped Word.doc file! Attachment: registration.zip The worm's executable file is located inside the ZIP archive attached to the above shown messages. To get infected a user has to extract and run the worm's file. Payload Sober.T worm terminates applications that have the following substrings in their names: microsoftanti gcas gcip giantanti inetupd. nod32kui nod32. fxsob avwin. guardgui. stinger hijack sober brfix fixsob s-t-i-n Then the worm shows a messagebox that looks like that: This trick is done to persuade a user that no infection was detected on his computer by his anti-virus or a virus removal tool. The worm can also download and run files on an infected computer. Back to the Top Write-up: Alexey Podrezov Technical Details: Alexey Podrezov; November 14th, 2005; Description Updated: Jarkko Turkulainen, December 15, 2005 F-Secure Corporation