Email-Worm:W32/Sober.F is written in Visual Basic. The worm's file is a PE executable of length 42496 bytes, packed with a modified version of UPX file compressor. The worm has its own SMTP engine that it uses to send out infected email messages.
When the worm's file is run, it opens Notepad with a text file as a disguise:
Then the worm installs itself to system. It copies itself to Windows System folder once, with a semi-randomly generated name and creates 2 startup keys for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file and the name of the startup key:
The worm also creates 3 empty files in the same folder:
These files disable previous Sober variants if they are installed on an affected computer.
The worm creates a startup Registry key to its semi-randomly named file in System Registry:
The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.
Sober.F worm constantly checks a hard drive for the presence of the file named CVQAIKXT.APK. If this file is found, the worm unloads itself from memory. Also if this file is present on a hard disk during the worm's installation process, the worm does not copy itself to a hard drive.
Sober.F denies access to its data and executable files if it is active in Windows memory.
The worm scans files with certain extensions on all hard disks to harvest email addresses. Files with the following extensions are scanned:
The worm can send messages chosen from variety of templates in English and German. Some of the messages will attempt tp appear to the eyes of the users as harmless error messages. Possible text appearing in those messages is:
- Hi, it's me
- hey you
- Well, surprise?!
- Faulty mail delivery
- Mail delivery failed
- Mail Error
- Illegal signs in Mail-Routing
- Connection failed
- Invalid mail sentence length
- Mail Delivery failure
- Message Error
- mail delivery status
- Confirmation Required
- Bad Gateway
- Your document
- I was surprised, too! :-(
- Who could suspect something like that?
- All OK :)
- see, what i've found!
- hi its me
- i've found a shity virus on my pc. check your pc, too!
- follow the steps in this article.
- Registration confirmation
- I 've told you!:-) sometime I grab your passwords!
- I hope you accept the result!
- Follow the instructions to read the message.
- Please read the document
- Your Password
- Your mail account
- Your password was changed successfully.
- Protected message is attached.
220.127.116.11_failed_after_I_sent_the_message./Remote_host_said: _554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered ._This_account_has_been_disabled_or_discontinued_[#102]._-_ mta134.mail. dcn.com
** End of Transmission The original message is a separate attachment. --- Mail To: UserHelp Error_Info _attach Read the attachment for details. Bad Gateway: The message has been attached. +++ A service of +++ Mail: home -attachment The message has been attached. attach-message Database #Error -- Partial message is available! -- Error: llegal signs in Mail-Routing -- Mail Server: ESMTP VX32.9 Version Betha Alpha
It also composes messages in such a way that they look as if scanned by some Anti-Virus and found clean. Messages will resemble:
++++ Im www erreichbar unter: http://www.[url chosen by the worm] ++++ email: [email chosen by the worm]
*** Anti- Virus: Es wurde kein Virus erkannt *** [name chosen by the worm] Virenschutz *** http://www.[url chosen by the worm]
The text can be preceded by some other german sentence, and some of the strings may also differ from message to message.