Sober.S worm started spreading on October 6th, 2005. This Sober variant sends itself as an attachment in email messages with English or German texts. The worm has bugs and quite often sends broken attachments.
In addition, at about noon on October 6th, there appeared a dropper for Sober.S worm. Its description can be found here:
F-Secure provides a simple disinfection utility to eliminate Sober.S worm infection. You can download this utility from our ftp or website:
The unpacked version is available here:
Disinfection instructions can be found here:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Sober.S is written in Visual Basic. The worm's file is a UPX packed PE executable about 113 kilobytes long. The unpacked worm's file size is around 251 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.
When the worm's file is started it shows a fake error messagebox as a decoy:
After that it creates a subfolder named 'ConnectionStatus' in Windows folder and copies itself there as "services.exe" file.
Sober.S worm adds startup keys for the copied "services.exe" in System Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] " WinINet" = "%WinDir%\ConnectionStatus\services.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "_WinINet" = "%WinDir%\ConnectionStatus\services.exe"
In addition the worm creates a file named "netslot.nst" in the same folder, where it stores its mime-encoded copy that will be used for spreading. Quite often the mime-encoded copy of the worm is corrupted.
Also the worm creates a few files in Windows System folder. Due to a bug in the worm's code the names of these files can look like a garbage, for example:
However on some systems the worm manages to create empty files with proper names:
nonrunso.ber langeinf.lin rubezahl.rub bbvmwxxf.hml gdfjgthv.cvq seppelmx.smx
These files are used to deactivate previous Sober variants. This particular Sober variant checks for the file called 'runstop.rst' and if such file is found, the worm deactivates itself.
The worm blocks access to its files and re-creates its startup keys in the Registry if they are deleted.
Sober.S worm sends different types of email messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.
To collect email addresses the worm scans files with the following extensions:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx
The collected email addresses are stored in "socket.dli" file that is created in the same folder where the main worm's executable file is located. The worm ignores email addresses that contain any of the following substrings:
@www @from. smtp- @smtp. ftp. .dial. .ppp. .dip.t-dia anyone @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock
When the worm sends an email to an address that contains "gmx." domain or has the domain suffix ".de", ".li", ".ch" or ".at", it composes messages in German, otherwise the worm composes messages in English.
The worm can compose the following English messages:
I've got your mail on my account!
hello, First I must say, my English is very very bad! Sorry about this. Ok, I've got an email in my box, but this email is not for me, because,,, I'm not the recipient! The recipient are YOU !!! This must be an email provider error, but I don't know! I have made a Screenshot about this mail and saved in a zipped jpeg graphic file for you. ok then, bye
--- OR ---
Your new Password
Your password was successfully changed! Please see the attached file for detailed information.
--- OR ---
Thanks for your registration. Your data are saved in the zipped .doc file!
In addition to English messages, the Sober.S worm can compose the following German messages:
Bcc: Ich habe Ihre Mail erhalten!
Danke fur Ihre Mail .... Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, namlich an mich. Ich kenne sie aber nicht! Oder Ihr Provider hat die Mail falsch weiter geleitet!? Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zuruck. MfG Sender
--- OR ---
hi, ich hoffe jetzt mal das ich endlich die richtige person erwischt habe! ich habe jedenfalls mal unser klassenfoto von damals mit angehangt. wenn du dich dort wiedererkennst, dann schreibe unbedingt zuruck!! wenn ich aber wieder mal die falsche person erwischt habe, dann sorry for die belastigung ;) liebe gruBe Rita
(or any of the following: Sandra, Nicole, Hannelore, Kerstin, Elke).
--- OR ---
Haben Sie diese Mail verschickt?
Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen Sie zu erstatten! Sie spinnen ja wohl! Die Mail hat meine Tochter gelesen !!!!!!!!!!!!!! Ich habe Ihnen "diese" Word-Text Datei zu meiner Entlastung zuruckgeschickt. Es ware von Vorteil, wenn Sie sich dazu au-ern wurden!!
The worm does not use any exploits to start attachments automatically on remote systems. To get infected a user has to extract and run the worm's executable file.
The worm can download and run executable files from user accounts created on the following servers:
people.freenet.de scifi.pages.at home.pages.at free.pages.at home.arcor.de
Sober.S worm terminates applications that have the following substrings in their names:
microsoftanti gcas gcip giantanti inetupd. nod32kui nod32. fxsob avwin. guardgui. stinger hijack sober brfix fixsob s-t-i-n
Then the worm shows a messagebox that looks like that: