Sober.C

Threat description

Details

Summary

Sober.C is an e-mail worm that sends itself as an attachment to e-mail messages with different subject and body texts. Messages are composed from either German or English text strings depending on a recipient's domain suffix.

The worm can disguise itself as a message from a police, that allegedly found illegal movies, music and software on a user's computer. The worm's message tells that police filed a lawsuit against a user and a user is offered to read the rest of information in the attachment which has a .TXT.EXE extension. But the attachment contains only a sample of the worm. The worm can also send other kind of messages. Additionally, the worm has the functionality to spread in P2P (peer-to-peer) networks.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm is written in Visual Basic. The worm's file is packed with a modified version of UPX file compressor. It has its own SMTP engine and it is used to send out infected e-mail messages.

Installation to system

When the worm's file is started, it shows a fake error message:

Runtime Error   has caused an unknown error.   

where <file_name> is the name of the worm's file. The messagebox can have a different caption and an additional text:

Microsoft   has caused an unknown error.  Stop: 00000010x08   

The worm copies itself to Windows System folder 3 times, once with SYSHOSTX.EXE name, and 2 more times with semi-randomly generated names, for example DIREXSYS.EXE or DXINBHEXDAT.EXE. The worm uses the following fixed text strings to generate the name of its files:

Runtime Error
 has caused an unknown error.
 

The worm also creates a file named SAVESYSS.DLL, where it stores e-mail addresses harvested from an infected computer. The worm also creates 2 files named HUMGLY.LKUR and YFJQ.YQWM in the same folder.

The worm creates several startup Registry keys for one of its semi-randomly named files in System Registry:

Runtime Error
 has caused an unknown error.
 

The worm also creates a startup key for its file in HKEY_USERS Registry tree:

[HKEY_USERS\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]   

The subkey name that is created by the worm is semi-randomly generated. The value of a subkey is the path to one of the worm's files in Windows System folder.

The worm always has 2 of its tasks in System Memory. If one task is killed, it is immediately restarted by another one. Also the worm refreshes its startup keys in the Registry every few seconds. This makes manual disinfection of the worm more difficult. Is should be also noted that the worm blocks read access to its 2 semi-randomly named files and to SAVESYSS.DLL file as well.

Spreading in e-mails.

The worm scans files with certain extensions to harvest e-mail addresses. Files with the following extensions are scanned:

Runtime Error
 has caused an unknown error.
 

The worm saves all found e-mail addresses to SAVESYSS.DLL file located in Windows System folder. This is an ASCII file, not binary.

The worm sends e-mail messages with German and English texts. When sending a message to an e-mail address, that has domain suffix DE, CH, AT, LI, NL or BE, the worm uses German text strings, otherwise it composes a message in English.

When sending messages in English, the worm can use the following subjects:

Runtime Error
 has caused an unknown error.
 

The worm uses the following arrays of text strings for English message bodies:

Runtime Error
 has caused an unknown error.
 

In English messages the worm can send itself as an attachment with the following names:

yourmail.txt.  yourmail.doc.  photos.  test.  reward.  youtoo.  set_config.  downloader.exe  www.freegames4you-gzone.com  www.onlinegamerspro-worm.com  idiot.  painfulness.  terror-list.  www.boards4all-terror432.com  account.  credit card.  yourregistration.txt.  letters.  refcode.txt.  mangaconection.  www.animepage43252.com  www.anime4allfree.com   

The worm can compose attachment names from the following parts:

Runtime Error
 has caused an unknown error.
 

For example an attachment name can be REMOVE-SMSS_TOOL.EXE.

The worm can use the following extensions (referenced above as <ext>) for the only or second extension of its attachment:

Runtime Error
 has caused an unknown error.
 

When sending messages in German, the worm can use the following subjects:

Runtime Error
 has caused an unknown error.
 

The worm uses the following arrays of text strings for German message bodies:

Runtime Error
 has caused an unknown error.
 

In German messages the worm can send itself as an attachment with the following names:

Klassenfoto.  www.iq4you-german-test.com  Kundendat.BaB.  www.freewantiv.com  SysDial-patch.  aktenz.txt.  haha_sehr_witzig.  DrohMails.  RTL-DSDS-anmelde.  www.free4manga.com  Zugangsdaten.txt.  www.free4share4you.com  sharedfree.  www.tagespolitik-umfragen.com  Abstimmen.  test.  alledigis.  remove-   

The worm can use the following extensions (referenced above as <ext>) for the only or second extension of its attachment:

Runtime Error
 has caused an unknown error.
 

Here's an example of a German message sent by the worm:

Body:

Runtime Error
 has caused an unknown error.
 

Attachment:

AKTENZ.TXT.EXE   

The worm in some cases uses semi-randomly generated attachment names. For example the worm's attachment name for the above shown e-mail can be AKTENZ36616.TXT.EXE.

The worm modifies its attachment to fool CRC-based detection: it can add random data to its file's end.

Spreading in file sharing networks

When active, the worm tries to locate shared folders of Kazaa, EMule and EDonkey2000. If such folders are located, the worm overwrites all executable files in those folders with its copy preserving the original file's size and name.

Detection

Detection of Sober.C worm is available in the following FSAV updates:

Detection Type: PC

Database: 2003-12-20_01

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info