Threat Description

Sober.N

Details

Category: Malware
Platform: W32
Aliases: Sober.N, Email-Worm.Win32.VB.aj, W32.Sober.N@mm, W32/Sober.o@MM

Summary


Sober.N email worm was found on 19th of April, 2005. It sends itself as an attachment in e-mail messages with English or German texts.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The worm is written in Visual Basic. The worm's file is a modified UPX packed PE executable about 73 kilobytes long.

The worm sends different types of e-mail messages with English and German texts and an attachment. The attachment is a ZIP archive containing the worm's executable.

The worm composes messages with subject lines such as "I've_got your EMail on my_account!" and "FwD: Ich bin's nochmal" with attachments such as your_text.zip.

Installation to system

When the worm's file is started it opens text editor with the following text as a decoy:

When the worm's file is run, it copies itself as "services.exe" into the %WinDir%\Config\system\ folder, created by the worm.

Sober.N worm adds startup keys for "services.exe" in System Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "SystemCheck" = "%WinDir%\Config\system\services.exe"  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "_SystemCheck" = "%WinDir%\Config\system\services.exe"   

The worm also creates the following files to installation folder:

zipped.wrm  maddys.xyz   

'zipped.wrm' contains base64-encoded worm, used in spreading. 'maddsys.xyz' is used to store email addresses.

The worm also writes the following files to system folder:

nonrunso.ber  langeinf.lin  adcmmmmq.hjg  xcvfpokd.tqa   

These files are used to deactivate previous variants of the worm.

Spreading in E-mails

The worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

pmr  phtm  stm  slk  inbox  imb  csv  bak  imh  xhtml  imm  imh  cms  nws  vcf  ctl  dhtm  cgi  pp  ppt  msg  jsp  oft  vbs  uin  ldb  abc  pst  cfg  mdw  mbx  mdx  mda  adp  nab  fdb  vap  dsp  ade  sln  dsw  mde  frm  bas  adr  cls  ini  ldif  log  mdb  xml  wsh  tbb  abx  abd  adb  pl  rtf  mmf  doc  ods  nch  xls  nsf  txt  wab  eml  hlp  mht  nfo  php  asp  shtml  dbx   

The worm ignores e-mail addresses that contain any of the following substrings:

@www  @from.  smtp-  @smtp.  ftp.  .dial.  .ppp.  anyone  @gmetref  sql.  someone  nothing  you@  user@  reciver@  somebody  secure  whatever@  whoever@  anywhere  yourname  mustermann@  mailer-daemon  variabel  noreply  -dav  law2  .qmail@  freeav  @ca.  abuse  winrar  domain.  host.  viren  bitdefender  spybot  detection  ewido.  emsisoft  linux  @foo.  winzip  @example.  bellcore.  @arin  @iana  @avp  icrosoft.  @sophos  @panda  @kaspers  free-av  antivir  virus  verizon.  @ikarus.  @nai.  @messagelab  nlpmail01.  clock   

The worm composes e-mails with both English and German texts. If the worm sends infected messages to domains with suffixes '.de', '.ch', '.at', '.li' and also to 'gmx.' domain, it composes messages in German, otherwise English messages are composed.

The worm composes the following messages:

Subjects:

I've_got your EMail on my_account!  FwD: Ich bin's nochmal   

Body texts:

Hello,  First, Very Sorry for my bad English.  Someone is sending your private e-mails on my address.  It's probably an e-mail provider error!  At time, I've got over 10 mails on my account, but the recipient are you.  I have copied all the mail text in the windows text-editor for you & zipped then.  Make sure, that this mails don't come in my mail-box again.  bye  Verdammt,,,,  ich hatte vergessen Dir meinen Text mitzuschicken.  Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!  Ich melde mich.  Bis bald ;)   

Attachments:

your_text.zip  Private-Texte.zip   

The actual worm executable name inside the attachement is 'mail.document.Datex-packed.exe'.



Detection


Sober.N worm is detected with the following FSAV updates:

Detection Type: PC
Database: 2005-04-19_01



Description Details: Mikko Hypponen; April 19th, 2005
Technical Details:Jarkko Turkulainen; April 19th, 2005
Description Last Modified: Jarkko Turkulainen; April 20th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More