Sober
Worms
_____________
The Sober-I Worm
The Sober-I worm (W32.Sober.I@mm) is a Windows worm that
spreads by mailing copies of itself to users; if they open
an infected attachment and their system's anti-virus software
is not up to date, they infect their system. Sober.I arrives
as a message from a falsified address that may be an entry
in an address book this worm has found in an infected system
or a completely fabricated address, such as “postmaster@<domain>,
where <domain> is the domain of the message recipient.
The subject can be in English or German; examples of the many
possible subjects include: “FwD: Your Password,”
“FwD: Ok,hieristmein,” “FwD: Warning!,”
“FwD: Details,” “FwD: Rechnung,” and
“FwD: hey dude!”
The message content (which is also either in English or in
German) also varies; examples include:
- - - - - - - - - -
The full mail is attached.
Auto_Mail.System: [hotmail]
*-*-* Mail_Scanner: No Virus
*-*-* SYMANTEC- Anti_Virus Service
- - - - - - - - - -
This mail was generated automatically.
More info about --GAYNET-- under: http:/ /www.gaynet.ch
- - - - - - - - - -
Diese Information ist geschützt duch ein Passwort!
Da Sie uns Ihre Persönlichen Daten zugesandt haben,
ist das Passwort Ihr Geburts-Datum.
Viel vergnügen mit unserem Angebot!
Im I-Net unter: http:www.[domain]
Aus Datenschutzrechtlichen Gründen, darf die vollständige
E'Mail incl. Daten nur angehängt werden.
Wir bitten Sie, dieses zu berücksichtigen.
GmBH & Co. KG
Da unsere Datenbanken leider durch einen Programm Fehler
zerstört wurden, mussten wir leider eine änderung
bezüglich Ihrer Nutzungs- Daten vornehmen.
Ihre geänderten Account Daten, befinden sich im beigefügten
Dokument.
- - - - - - - - - -
Additionally, the attachment name varies (e.g., “mail,
“Error_mail,” “oh_nono,” and “auto_mail.”
Examples of extensions include .bat, .com, .pif, .scr, and
.zip, although sometimes the attachment will have two extensions
such as .txt.com, .eml.scr, or .doc.zip. The recipient’s
domain name may preceed the first of two extensions.
If a user opens an infected attachment on a system in which
the anti-virus software is not up to date, the Sober.I worm
displays the following message:
It then creates two files in the %systemroot% folder (which
by default is the system32 folder in newer Windows systems
such as Windows 2000, Windows XP, and Windows Server 2003).
Files are named “diag,” “win,” “service,”
“explorer,” “host,” among many others.
Sober-I also creates many additional files—winsend32.dal,
winroot64.dal, winexerun.dal, sb2run.dii, nonzipsr.noz, clonzips.ssc,
dgssxy.yoi, and so on, in the same directory.
After this worm has finished its creation process, it ensures
that it runs every time the system boots by adding the following
Registry values:
<random value name> = "%System%\[random worm file
name].exe"
<random value name> = "%System%\[random worm file
name].exe %srun%"
to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
After January 5, 2005, Sober-I may try to download and run
an executable (Trojan.Dimi) from several web sites in the
following domains: free.pages.at, home.arcor.de, home.pages.at,
people,freenet.de and/or scifi.pages.at. This worm next gleans
email addresses from files in the victim system that contain
these addresses. It also determines whether there is a network
connection by trying to connect to an NTP (Network Time Protocol)
server on TCP port 37, or by resolving one of the following
domain names: bigfoot.com, google.com, hotmail.com, microsoft.com,
ns1.interplanet.com.mx, t-online.de, or yahoo.com. Finally,
Sober-I creates an SMTP (Simple Mail Transfer Protocol) engine
to mail a large number of copies of itself to addresses that
it has found in the infected system.
Removing Sober-I from Infected Systems
The best way to prevent an infection by Sober-I or any other
worm or virus is to keep your system’s anti-virus software
updated daily and also to avoid opening any attachment that
you are not expecting, even if it appears to be sent by someone
you know. If your system becomes infected, download and run
a Sober
removal tool.
However, Sober-I sometimes corrupts itself when it infects
a system. Corrupted versions of Sober-I often display multiple
command prompts when Windows systems boot. Anti-virus software
may be unable to detect corrupted versions of this worm, and
the Sober removal tool may not be capable of eradicating these
versions. In this case, it is necessary to manually remove
the worm and to clean up all the changes it has made. Instructions
for manual removal and cleanup are here.
<<Back to Virus Archive home
The Sober.O Worm
The Sober.O worm (W32.Sober.O@mm) is a Windows worm that
sends itself as a zip-file email attachment to addresses collected
from an infected computer. When a user opens the infected
attachment, the worm searches the computer's files, and emails
itself to addresses from files ending in particular extensions,
such as .abc, .xhtml, and .xml.
- - - - - - - - - -
The message appears in either English or German, and the
worm fabricates a faux sender's address such as FIFA@ [random
domain], FIFA@[random domain], FIFA@[random domain], Postmaster@[random
domain], etc.
Examples of subject lines include:
- xIhr Passwort
- Mail-Fehler!
- xIhre E-Mail wurde verweigert
- Re:Your Password
- Re:Registration Confirmation
- Re:Your email was blocked
- Re: [blank]
The message content varies as well. Examples include:
Passwort und Benutzer-Informationen befinden sich in der
beigefuegten Anlage.
http:/ /www.[random domain]
# ok ok ok,,,,, here is it
# Account and Password Information are attached!
Visit: http:/ /www.[random domain]
Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http:/ /www.[random domain]
Folgende Fehler sind aufgetreten:
Fehler konnte nicht Explicit ermittelt werden
Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige
E-Mail incl. Daten gezippt & angehaengt werden.
Wir bitten Sie, dieses zu beruecksichtigen.
The bottom of the message might say, "Attachment-Scanner:
Status OK," "AntiVirus: No Virus found," "Server-AntiVirus:
No Virus (Clean)," or "http:/ / www.[random domain]."
- - - - - - - - - -
The attachment (LOL.zip, autoemail-text.zip, mail_info.zip,
account_info.zip, error-mail_info.zip, etc.) is a zip file
that contains a copy of the worm. When the worm is triggered,
it displays the following message:
- - - - - - - - - -
The worm adds the value " WinStart" = "%Windir%\Connection
Wizard\Status\services.exe" to the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
and the value "_Winstart" = "%Windir%\Connection
Wizard\Status\services.exe" to the registry subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,
so that the worm runs every time Windows starts.
The worm then deletes Symantec Liveupdate executable files
from the system's program files folder, and overwrites the
file %ProgramFiles%\Symantec\Liveupdate\luall.exe with a copy
of itself. If the date received from the NTP/Time server is
May 9, 2005, or earlier, the worm mass-mails itself.
For more information about Sober.O, go here.
- - - - - - - - - -
Removing Sober.O from Infected Systems
Go here
to use Symantec's Sober.O removal tool. For instructions on
how to manually remove Sober.O infections, go here.
<<Back to Virus Archive home
The Sober.P Worm
The Sober.P Worm, also known as Trojan.Ascetic.C, is a Trojan
horse that sends spam email in English or German to email
addresses gathered from the Windows system it has infected.
When the worm is activated, Sober.P searches the infected
computer for files ending with particular extensions such
as .abc, .xml, .shtml, etc.; it then sends spam email to addresses
from these files. Sober.P doesn't mail an attachment, but
it runs every time Windows has been started on the infected
system, and it attempts to weaken the system's security settings.
- - - - - - - - - -
When Sober.P is activated, it adds the value "Systemboot"
= "%Windir%\Help\Help\services.exe" to the registry
subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs every time Windows has been started.
- - - - - - - - - -
Sober.P then attempts to send spam email to addresses it
gathered from files ending in various extensions (.cgi, .doc,
.ppt, etc.).
Examples of the messages include:
Subject:
Dresden Bombing Is To Be Regretted Enormously
Message:
[URL pointing to a page on the service.spiegel.de domain]
Subject:
Auf Streife durch den Berliner Wedding
Message:
[URL pointing to a page on the www.zdf.de domain]
[URL pointing to a page on the www.libasoli.de domain]
- - - - - - - - - -
After overwriting Symantec Liveupdate executable files from
the program files folder with copies of itself, the Trojan
lowers security settings by adding the value "EnableFirewall"
= "0" to the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile
The Trojan also prevents the installation of Windows XP Service
Pack 2 on the infected computer by adding the value "AUOptions"
= "0" to the registry subkey:
HKEY_LOCAL_MACHINE_\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update
For more information about Sober.P, go here.
- - - - - - - - - -
Removing Sober.P from Infected Systems
Go here
for instructions on how to remove Sober.P from an infected
system.
<<Back to Virus Archive home
The Sober.S Worm
The Sober.S worm (also known as W32.Sober.O@mm, Sober.S,
Win32.Sober.N, Sober.P, Email-Worm.Win32.Sober.p, W32/Sober.p@MM,
W32/Sober-N, or WORM_SOBER.S) is yet another mass-mailing
worm that targets Windows systems. If users open an attachment
containing this worm and their systems’ anti-virus software
has not been updated, their systems will be infected.
Sober.S arrives as a message from a spoofed email address
copied from an address book in an infected system or from
a fictional address such as Ticket@<some domain> or
Verlosung@<some domain>, where <some domain> is
a randomly chosen domain name. The text can be in English
or German. English subject lines are:
• Re: [blank]
• Re:mailing error
• Re:Registration Confirmation
• Re:Your email was blocked, and
• Re:Your Password.
English messages are:
• Account and Password Information are attached! Visit:
http:/ /www.[random domain]
• ok ok ok,,,,, here is it, and
• This is an automatically generated E-Mail Delivery
Status Notification. Mail-Header, Mail-Body and Error Description
are attached.
Additionally, English versions have one of the following
appended to the bottom of the message:
• AntiVirus: No Virus found
• Attachment-Scanner: Status OK, http:/ / www.[random
domain], or
• Server-AntiVirus: No Virus (Clean).
In German versions, subjects include:
• Glueckwunsch: Ihr WM Ticket
• Ihr Passwort, or
• Mail-Fehler!
Examples of German messages include:
• Nun sieh dir das mal an
Was ein Ferkel ....
or
• Passwort und Benutzer-Informationen befinden sich
in der beigefuegten Anlage.
http:/ /www.[random domain]
*-* MailTo: PasswordHelp
Sober.S also randomly appends a line (either in English
or in German) that falsely indicates that the message has
passed anti-virus scanning to the bottom of each message.
Each attachment has one of the following names (in English):
• account_info-text.zip
• account_info.zip
• error-mail_info.zip
• mail_info.zip, or
• our_secret.zip
or one of the following German names:
• autoemail-text.zip
• Fifa_Info-Text.zip
• LOL.zip
• okTicket-info.zip, or
• _PassWort-Info.zip
If a user opens an infected attachment on a system in which
the anti-virus software is not up to date, the Sober.S worm
displays the following message:
It then creates numerous files in the system installation
folder:
• Connection Wizard\Status\csrss.exe
• Connection Wizard\Status\packed1.sbr
• Connection Wizard\Status\packed2.sbr
• Connection Wizard\Status\packed3.sbr
• Connection Wizard\Status\services.exe
• Connection Wizard\Status\smss.exe
• Connection Wizard\Status\sacri1.ggg
• Connection Wizard\Status\sacri2.ggg
• Connection Wizard\Status\sacri3.ggg
• Connection Wizard\Status\voner1.von
• Connection Wizard\Status\voner2.von
• Connection Wizard\Status\voner3.von
• Connection Wizard\Status\sysonce.tst
• Connection Wizard\Status\fastso.ber
Sober.S also creates the following files in the system folder:
• adcmmmmq.hjg
• langeinf.lin
• nonrunso.ber
• seppelmx.smx
• xcvfpokd.tqa
Additionally, to ensure that the worm code runs every time
the system boots, this worm changes two Registry values, namely:
"
WinStart" = "%Windir%\Connection Wizard\Status\services.exe"
to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
"_WinStart"
= "%Windir%\Connection Wizard\Status\services.exe"
to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sober.S deletes certain files: in particular, files used
by anti-virus software. It checks the time by connecting to
a Network Time Protocol (NTP) server on port 37. If the date
is May 9 or before, this worm creates a Simple Mail Transfer
Protocol (SMTP) engine to mail a large number of copies of
itself to addresses that it has found in the infected system.
If the date is May 10 or later, Sober.S attempts to connect
to one of a large number of URLs instead.
Removing Sober.S from Infected Systems
The optimal way to prevent an infection by Sober.S or any
other worm or virus is to keep your system’s anti-virus
software updated daily and also to avoid opening attachments
that you are not expecting, even if they appear to be sent
by someone you know. If your system becomes infected, however,
go here
to download and run a Sober removal tool.
Note, however, that this clean-up tool may not be able to
clean up every change that this worm has made. In this case,
it is necessary to manually remove the worm and to clean up
all the changes it has made.
|