Threat Description

Sober.K

Details

Category: Malware
Platform: W32
Aliases: Sober.K, W32/Sober.K@mm, Email-Worm.Win32.Sober.k

Summary


Sober.K worm was seeded in e-mails on 21st of February 2005. It is quite similar to the previous variants. Sober.K sends itself as an attachment in e-mail messages with English or German texts.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The worm is written in Visual Basic. The worm's file is a UPX packed PE executable about 52 kilobytes long. The unpacked worm's file size is over 179 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.

Installation to system

When the worm's file is started it opens Write text editor with the following text as a decoy:

When the worm's file is run, it copies itself with 3 different names to %WinDir%\msagent\win32\ folder:

csrss.exe  smss.exe  winlogon.exe   

These files are identical to the worm's copy except for byte at offset 0xA0. This byte is different in every dropped copy. The worm always keeps 2 of its processes in memory.

Sober.K worm adds startup keys for one of these files in System Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "_winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "winsystem.sys" = "%WinDir%\msagent\win32\smss.exe"   

If these keys are deleted, the worm re-creates them after a few seconds.

Also the worm drops a few empty files to Windows System and to the main installation folder. These files are used to deactivate previous variants of the worm:

runnowso.ber  nonrunso.ber  stopruns.zhz   

The worm creates a few data files in the main installation folder:

datamx1.dat  datamx2.dat  datamx3.dat  goto1.dat  goto2.dat  goto3.dat  zippedso1.ber  zippedso2.ber  zippedso3.ber   

The 'datamx' and 'goto' files are used to store e-mail addresses collected from an infected computer's hard drive. The other 3 files are used to store the ZIPped worm's copy (it will be used for spreading).

Also the worm drops the 'read.me' file to Windows folder. This file contains the following text:

Ist eine weitere Test-Version. Lauft nur ein paar Tage!  In diesem Sinne:  Odin alias Anon   
Spreading in E-mails

The worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable. Here's a screenshot of an infected message sent by the worm:

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

pmr  phtm  stm  slk  inbox  imb  csv  bak  imh  xhtml  imm  imh  cms  nws  vcf  ctl  dhtm  cgi  pp  ppt  msg  jsp  oft  vbs  uin  ldb  abc  pst  cfg  mdw  mbx  mdx  mda  adp  nab  fdb  vap  dsp  ade  sln  dsw  mde  frm  bas  adr  cls  ini  ldif  log  mdb  xml  wsh  tbb  abx  abd  adb  pl  rtf  mmf  doc  ods  nch  xls  nsf  txt  wab  eml  hlp  mht  nfo  php  asp  shtml  dbx   

The found e-mail addresses are saved into 6 files that the worm creates in its main installation folder:

datamx1.dat  datamx2.dat  datamx3.dat  goto1.dat  goto2.dat  goto3.dat   

When the worm is active in memory it blocks access to these files as well as to its MIME-encoded files and all 3 executable files.

The worm ignores e-mail addresses that contain any of the following substrings:

ntp-  ntp@  ntp.  info@  test@  @www  @from.  support  smtp-  @smtp.  gold-certs  ftp.  .dial.  .ppp.  anyone  subscribe  announce  @gmetref  sql.  someone  nothing  you@  user@  reciver@  somebody  secure  whatever@  whoever@  anywhere  yourname  mustermann@  .kundenserver.  mailer-daemon  variabel  noreply  -dav  law2  .sul.t-  .qmail@  t-ipconnect  t-dialin  ipt.aol  time  freeav  @ca.  abuse  winrar  domain.  host.  viren  bitdefender  spybot  detection  ewido.  emsisoft  linux  google  @foo.  winzip  @example.  bellcore.  @arin  mozilla  iana@  iana-  @iana  @avp  icrosoft.  @sophos  @panda  @kaspers  free-av  antivir  virus  verizon.  @ikarus.  @nai.  @messagelab  nlpmail01.  clock   

The worm composes e-mails with both English and German texts. If the worm sends infected messages to domains with suffixes '.de', '.ch', '.at' and also to 'gmx.' domain, it composes messages in German, otherwise English messages are composed.

The worm composes the following English messages:

Subjects:

Your new Password  Mail_delivery_failed  Paris Hilton, pure!  Alert! New Sober Worm!  You visit illegal websites   

Senders:

service  webmaster  register  hostmaster  postmaster  police  Officer  Admin  Web  FBI  Michele@yahoo.com  Melanie@yahoo.com  security@microsoft.com   

Body texts:

Thanks for your registration!  We have received your payment.  For more detailed information, read the attached text.   

---- or ----

This is an automatically generated Delivery Status Notification.  ESMTP Error []  I'm afraid I wasn't able to deliver your message.  This is a permanent error; I've given up. Sorry it didn't work out.  The full mail-text and header is attached   

---- or ----

More than 50 HOT Hilton Videos  More than 3000 Hilton picks  FREE Download until April, 2005  Make your own Download Account, it's free!  Further details are attached  Thanks & have fun ;)   

---- or ----

ATTENTION!  Antivirus vendors are warning of a new variant of the Sober  virus discovered today that can delete the hard disk.  Protection:  Download and read the zipped patch. It's very easy to install!  Thanks for your cooperation!  --- (c)2005 Microsoft Corporation. All rights reserved  --- Microsoft Corporation  --- One Microsoft Way  --- Redmond, Washington 98052-6399   

---- or ----

Dear Sir/Madam,  we have logged your IP-address on more than 40 illegal Websites.  Important: Please answer our questions!  The list of questions are attached.  Yours faithfully,  M. John Stellford  ++-++ Federal Bureau of Investigation -FBI-  ++-++ 935 Pennsylvania Avenue, NW, Room 2130  ++-++ Washington, DC 20535  ++-++ (202) 324-3000   

Attachments:

text.zip  register_.zip  header_.zip  register.zip  text_.zip  help-text.zip  patch_.zip  indictment_cit.zip  text-.zip   

where <random> is a randomly generated number. The attachment name can be a combination of the above given file names as well.

The worm can add a fake anti-virus scanning report to its infected messages:

Attachment: No Virus found   

---- or ----

Mail-Scanner: No Virus detected   

---- or ----

AntiVirus: Found to be clean   

Followed by:

*-*  Anti-Virus Service  *-* http://www.   

where <domain> is the domain name of a recipient.

The worm composes the following German messages:

Subjects:

Ihr Passwort wurde geaendert  Ihr neues Passwort  EMail-Empfang fehlgeschlagen  Paris Hilton Nackt!  Paris Hilton SexVideos  Seitensprung gesucht?  Vorsicht! Neuer Sober Wurm!   

Senders:

Service  Webmaster  Register  Hostmaster  Postmaster  Michele@yahoo.com  Melanie@yahoo.com  security@microsoft.com   

Body texts:

## Diese E-Mail wurde automatisch generiert  ## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail  ## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde  ---------------  Ihr neues Passwort und weiter Informationen befinden sich im beigefuegten Dokument.  **** Ein Service von  **** http://www.  **** Mail: Help-Line   

---- or ----

Vielen Dank, dass Sie sich bei registriert haben.  Der Betrag von ,- Euro ist erfolgreich auf unserem Konto eingegangen.  Passwort, Benutzername und weitere wichtige Informationen zu ihrem neuen Account  befinden sich im angehefteten Dokument.  Hochachtungsvoll  Silvia Hochberger   

---- or ----

- System Mail -  Diese an ihnen gerichtete E-Mail, wurde in einem falschen Format gesendet.  Der Betreff, Header und Text dieser Mail, wurde deshalb separat in einer Text-Datei gespeichert und gezippt.  Vielen Dank fuer Ihr Verstaendnis  [System auto- mail]   

---- or ----

Guten Tag,  mehr als 50 Videos,  Mehr als 1000 heisse Fotos  und mehr als 300 original Sounds von der kleinen Hilton ........ .  Alles frei zum Download, aber nur bis zum 01 April 2005 !!!  Weitere Details entnehmen Sie bitte dem vorliegendem Dokument.  Vielen Dank!   

---- or ----

Hallo,  wir hoffen das Ihnen die Betreffszeile unsere Mail genug sagt.  Der Jugendschutz verbietet uns leider mehr Auskunft ueber unser Angebot zu geben.  Informationen,,,, wie Sie sich bei uns anmelden koennen befinden sich im beigefuegten Dokument.  Natuerlich ist die Anmeldung  Kostenlos!  Mehr als 2.5 Millionen registrierte Benutzer!!!  Da ist fuer jeden was dabei!  Auf Wiedersehen   

---- or ----

Wichtige Information!  Eine neue Sober-Variante verbreitet sich derzeit im Internet.  Wie seine Vorgaenger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.  Es wird deshalb empfohlen, das Patch-Tool auszufuehren um sich vor diesem Wurm zu schuetzen bzw. diesen wieder  zu entfernen.  --- (c)2005 Microsoft Corporation. Alle Rechte vorbehalten  --- Vertretungsberechtigter: Juergen Gallmann  --- E-Mail Adresse: security@microsoft.com   

Attachments:

PSW-Text.zip  zipped-text.zip  zipped-mail.zip  Register-Info.zip  Formular.zip  Tool.zip  Patch-.zip   

where <random> is a randomly generated number.

The worm can add a fake anti-virus scanning report to its infected messages:

Anhang Scanner: Kein Virus enthalten   

---- or ----

Mail Scanner: Kein Virus gefunden   

---- or ----

AntiVirus System: No Virus found   

Followed by:

*-*  Anti-Virus Service  *-* http://www.   

where <domain> is the domain name of a recipient.

The worm does not use any exploits to start its file automatically on a recipient's system.

Deactivation

The worm does not infect a computer if the file with the 'xcvfpokd.tqa' name is present on a hard drive.



Detection


Sober.K worm is detected with the following FSAV updates:

Detection Type: PC
Database: 2005-02-21_01



Description Details: Alexey Podrezov; February 21st, 2005
Description Last Modified: Alexey Podrezov; February 23rd, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More