|
Summary of W32/Sober.C@mm |
| Alias: | I-Worm.Sober.C, W32/Sober-C, Win32.Sober.C, WORM_SOBER.C |
| Length: |
73 KB - 74 KB |
| Discovered: |
20 Dec 2003 |
| Definition files: |
20 Dec 2003 |
| Risk Level: |
Low |
| Distribution: | Low |
| Infection Method: | Infected e-mails, file-sharing programs (P2P) |
|
|
|
| Brief Description |
The W32/Sober.C@mm is a worm that spreads via e-mails that contain infected attachments, it also has spreading capabilities through file-sharing networks that the worm targets. The W32/Sober.C@mm will create 6 files in the system directory on the infected system. Three of them are copies of the worm under different names, with slight variation in size, two are empty and one is used to store e-mail addresses that the worm retrieves from the system.
The following registry keys are created by the worm:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"random_value"="[system_directory]\[worms_name.extension]"
It also creates a RUN value, under the registry value of the current user:
[HKEY_USERS\{user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
"random_value(same as the above)"="[system_directory]\[worms_name.extension]"
The worm determines whether certain file-sharing programs are present on the computer, the programs that the W32/Sober.C@mm targets are Kazaa, eMule and eDonkey2000. It will upon detection attempt to overwrite the executables present in the shared folders used by those programs with copies of itself.
Infected e-mails sent out by W32/Sober.C@mm can either be in English or in German.
After infecting a system, the worm will display a message similar to that described below:
Title: [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.
Caption: Stop: 00000010x08
or:
Title: [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.
When the W32/Sober.C@mm is running on the infected system, it has two processes running at the same time. When either one is terminated, the other will attempt to re-execute it. This makes terminating the W32/Sober.C@mm from memory more difficult. |
| Technical Description |
The W32/Sober.C@mm is a worm that spreads via e-mails that contain infected attachments, it also has spreading capabilities through file-sharing networks that the worm targets. The W32/Sober.C@mm most likely originates from Germany. The worm is written in Visual Basic, compressed by the UPX executable packer with obfuscated section names. The worm itself, has bugs in its code, causing certain routines within its body to fail at times. The worm can add random data at the end of its body, this leads to a slight difference in size but has no effect on the worms path of execution.
When executed, the worm starts by locating the system directory on the machine. It creates six files under the system directory:
Files created under the system directory are the following:
- %system_dir%\Humgly.lkur
This file is empty to begin with. The name is hardcoded within the worms body.
- %system_dir%\yfjq.yqwm
This file is empty to begin with. The name is hardcoded within the worms body.
- %system_dir%\[random_name].exe
Copy of the worm, with slight modification
- %system_dir%\[random_name].exe
Copy of the worm, with slight modification
- %system_dir%\syshostx.exe
Copy of the worm, with slight modification
- %system_dir%\savesyss.dll
This file is used by the worm to store all e-mail addresses gathered from the infected system.
The worm determines wether certain file-sharing programs are present on the computer, by first decrypting strings that correspond to default registry values used by those programs, after which the worm performs a check to see wether they are present. The programs that the W32/Sober.C@mm targets are Kazaa, eMule and eDonkey2000, it will upon detection attempt to overwrite the executables present in the shared folders used by those programs.
The following registry keys are created by the worm:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"random_value"="[system_directory]\[worms_name.extension]"
It also creates a RUN value, under the registry value of the current user:
[HKEY_USERS\{user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
"random_value(same as the above)"="[system_directory]\[worms_name.extension]"
To harvest e-mail addresses, W32/Sober.C@mm searches for files with the following extensions:
htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo. Each of the e-mail addresses retreived from the files is written to the %system_dir%\savesyss.dll.
After the W32/Sober.C@mm has infected a system it will display a message box. The message box displayed will be similar to that of:
Title: [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.
Caption: Stop: 00000010x08
or:
Title: [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.
When the W32/Sober.C@mm is active in memory, it consists of two processes, both containing the worm. These two processes communicate, monitor and exchanging pre-defined message through shared window. When one process is terminated the other will execute it again almost immediately, thus making the task of terminating the worm more difficult.
The e-mails sent out by the W32/Sober.C@mm worm are constructed using predefined keywords and sentences contained within the worms body. The worm can send out e-mails both in German and English. The worm can generate different subject, body and attachment names for each e-mail. When determining whether to send out the e-mails in German or English, the worm relies on the top-level domain of the address it sends an e-mail to. Since the worm has a built-in routine intended to communicate with SMTP servers, it enables the worm to forge the From: address of infected e-mails, it can either forge the From: address, using an e-mail address harvested from the infected system or use a predefined name.
The following are examples of typical e-mails sent out by W32/Sober.C@mm:
To: [address]
From: [forged_address]
Subject: [Your IP was logged] or [Preliminary investigation were started]
Body:
Ladies and Gentlemen,
Downloading of Movies, MP3s and Software is illegal and punishable by law.
We hereby inform you that your computer was scanned under the IP [randomly generated IP address, using the following numbers: 80, 81, 65, 66, 67, 62, 172, 193, 194, 195] . The
contents of your computer were confiscated as an evidence, and you will be indicated.
In the next days, you'll get the charge in writing.
In the Reference code: #32962, are all files, that we found on your computer.
The sender address of this mail was masked, to protect us against mail bombs.
- You get more detailed information by the Federal Bureau of Investigation -FBI-
- Department for "Illegal Internet Downloads", Room 7350
- 935 Pennsylvania Avenue
- Washington, DC 20535, USA
- (202) 324-3000
To: [address]
From: [forged_address]
Subject: Anime, Pokemon, Manga, ...
NEW!
More than 84.000 entries on our page:
All about:
Pokemon, YU-GI-OH, DragonballZ, BeyBlade, Ranma 1/2, and and and
Games, Video's, Pic's, Cards, MP3s, Screen-saver, and and and
and many many more!
And NO DIALERS!
have fun
To: [address]
From: [forged_address]
Subject: Registration confirmation
Thanks for your registration.
( We say Sorry again, the first mail was delivered to an unknown mail address.
This was a bug in our mailing system! )
The amount of 239.- USD was deducted by your credit card.
Welcome,
you can now visit more than 1200 very very hot web pages!
Your registration, pages and passwords are in the attachment.
enjoy
|
Analysis / Description: Sindri Bjarnason - Virus researcher FRISK Software International |
|
