Threat Description

Sober.B

Details

Aliases: Sober.B, I-Worm.Sober.B, W32/Sober.B
Category: Malware
Type:
Platform: W32

Summary


Sober.B is an e-mail worm that sends itself as an attachment to e-mail messages with different subject and body texts. Messages are composed from either German or English text strings depending on a recipient's domain suffix. The worm also has the functionality to spread in P2P (peer-to-peer) networks.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


The worm is written in Visual Basic. The worm's file is packed with a modified version of UPX file compressor. It has its own SMTP engine and it is used to send out infected e-mail messages.

Installation to system

When the worm's file is started, it shows a fake error message:

The worm copies itself to Windows System folder 3 times, once with SPOOL.EXE name, and 2 more times with semi-randomly generated names, for example RMDIAGEXAKE.EXE or MONWIUKDIR.EXE. The worm uses the following fixed text strings to generate the name of its files:

win  svc  task  sys  dll  host  end  dir  ms  run  ex  log  on  reg  ie  32  16  64  disk  api  app  con  mon  drv  crypt  dat  dx  diag  str  xp  hex  

The worm also creates a file named MSCOLMON.OCX, where it stores e-mail addresses harvested from an infected computer. The worm also creates a file named HUMGLY.LKUR in the same folder.

The worm creates several startup Registry keys for one of its semi-randomly named files in System Registry:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  

The worm also creates a startup key for its file in HKEY_USERS Registry tree:

[HKEY_USERS\[userID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  

The subkey name that is created by the worm is semi-randomly generated. The value of a subkey is the path to one of the worm's files in Windows System folder.

The worm always has 2 of its tasks in System Memory. If one task is killed, it is immediately restarted by another one. Also the worm refreshes its startup keys in the Registry every few seconds. This makes manual disinfection of the worm more difficult. Is should be also noted that the worm blocks read access to its 2 semi-randomly named files and to MSCOLMON.OCX file as well.

Spreading in e-mails.

The worm scans files with certain extensions to harvest e-mail addresses. Files with the following extensions are scanned:

htt  rtf  doc  xls  ini  mdb  txt  htm  html  wab  pst  fdb  cfg  ldb  eml  abc  ldif  nab  adp  mdw  mda  mde  ade  sln  dsw  dsp  vap  php  nsf  asp  shtml  shtm  dbx  hlp  mht  nfo  

The worm saves all found e-mail addresses to MSCOLMON.OCX file located in Windows System folder. This is an ASCII file, not binary.

The worm sends e-mail messages with German and English texts. When sending a message to an e-mail address, that has domain suffix DE, CH, AT, LI, NL or BE, the worm uses German text strings, otherwise it composes a message in English. The worm sends the following English e-mail messages:

Subject:

George W. Bush plans new wars  

or

George W. Bush wants a new war  

Body:

Bush plans new wars against China, Cuba and Iran.  Please visit our website and vote against this very crazy war(s).  More information:  

Attachment:

www.gwbush-new-wars.com  

----------------------

Subject:

You Got Hacked  

or

Have you been hacked?  

Body:

by me,, idiot!  haha,  very nice files on your system.  i've made a website. i show your files on this website   hahaha  visit:  

or

YA of me  a great many files on your pc and very very interesting  what would say the police?!,,, i don't know .-]  i've  files of you  see:  

Attachment:

www.hcket-user-pcs.com  

or

yourlist.pif  

or

allfiles.cmd  

The worm sends the following German e-mail messages:

Subject:

Hihi, ich war auf deinem Computer  

or

Du bist Ge-Hackt worden  

or

Ich habe Sie Ge-hackt  

or

Der Kannibale von Rotenburg  

Body:

Nette, ungewohnliche und ausgefallene Sachen hast du da  auf deinem Computer! (Was soll man dazu noch sagen)  

or

Ich uberlege mir schon die ganze Zeit, ob ich ein paar deiner Dateien  im Internet auf einer Web-Seite stellen soll!  Weil, genug Stoff habe ich ja von Dir! (Muhahahah)  Du fragst dich sicherlich, was ich alles von Dir habe,,,, siehe selbst  

or

Was wohl gewisse Behorden dazu sagen wurden? **hust*  Ich wei? nicht so recht, soll ich dich bestechen oder  die Behorden einschalten ???  Du kannst jetzt ruhig Deine Dateien loschen oder sonst was, aber nutzen wird es  Dir wenig, weil ich sie auch habe!  Wenn du meinst das ich Mist rede, dann sehe Dir die Datei-Liste an.  Dann siehst du, was ich alles von Dir habe.  Na ja,, ich melde mich nachste Woche noch einmal!  

or

Entschuldigen Sie bitte diese uberaus deutliche Betreffzeile!  Aber ein neuer Dialer macht mit dieser Uberschrift unzahlige User zu Opfern.  Die User werden mit dem versprechen gelockt, sich das  usserts abscheuliche Tat- Video anzuschauen zu durfen.  Stattdessen aber, installiert sich ein sehr teurer Dialer und ein Virus auf dem PC.  Da aber unzahlige User auf diese Finte hereinfallen, haben wir mit Zustimmung des  Bundeskriminalamtes BKA, eine Web-Seite erstellt, wo einige dieser ausserts brisanten Fotos und Videos  einzusehen sind, um den Leuten die Neugier zu nehmen.  Naturlich sind diese Videos und Fotos leicht zensiert worden.  Um auf diesen Web-Server zu gelangen, mussen Sie zuerst bestatigen, dass Sie das 18 Lebensjahr bereits vollendet haben.  Wir bitten sie ausdrucklichst, keine Kinder diese Seite einsehen zu lassen.  I.A.: Dieter Braun  ----- MultiMedia AG Munchen ia. BKA  (ORG. Rund-Mail V6.02)  ----- Geschaftsfuhrer: Michael Leuningen  (089/8941440)  FAX: 089/89414434  

Attachment:

Daten-Text.pif  

or

DateiList.pif  

or

Server.com  

The worm modifies its attachment to fool CRC-based detection. It can adds random data to its file's end.

Spreading in file sharing networks

When active, the worm tries to locate shared folders of Kazaa, EMule and EDonkey2000. If such folders are located, the worm overwrites all executable files in those folders with its copy preserving the original file's size and name.



Detection


Detection of Sober.B worm is available in the following FSAV updates:

Detection Type: PC
Database: 2003-12-18_01



Description Last Modified: Alexey Podrezov, December 18th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More