FRISK Software International


Summary of W32/Sober.C@mm
Alias:I-Worm.Sober.C, W32/Sober-C, Win32.Sober.C, WORM_SOBER.C
Length: 73 KB - 74 KB
Discovered: 20 Dec 2003
Definition files: 20 Dec 2003
Risk Level: Low
Distribution:Low
Infection Method:Infected e-mails, file-sharing programs (P2P)
 
Jump to:
Brief description
Technical description

Brief Description
The W32/Sober.C@mm is a worm that spreads via e-mails that contain infected attachments, it also has spreading capabilities through file-sharing networks that the worm targets. The W32/Sober.C@mm will create 6 files in the system directory on the infected system. Three of them are copies of the worm under different names, with slight variation in size, two are empty and one is used to store e-mail addresses that the worm retrieves from the system.

The following registry keys are created by the worm:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"random_value"="[system_directory]\[worms_name.extension]"

It also creates a RUN value, under the registry value of the current user:

[HKEY_USERS\{user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
"random_value(same as the above)"="[system_directory]\[worms_name.extension]"

The worm determines whether certain file-sharing programs are present on the computer, the programs that the W32/Sober.C@mm targets are Kazaa, eMule and eDonkey2000. It will upon detection attempt to overwrite the executables present in the shared folders used by those programs with copies of itself.
Infected e-mails sent out by W32/Sober.C@mm can either be in English or in German.

After infecting a system, the worm will display a message similar to that described below:
Title:       [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.
Caption: Stop: 00000010x08

or:

Title:       [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.

When the W32/Sober.C@mm is running on the infected system, it has two processes running at the same time. When either one is terminated, the other will attempt to re-execute it. This makes terminating the W32/Sober.C@mm from memory more difficult.


Technical Description
The W32/Sober.C@mm is a worm that spreads via e-mails that contain infected attachments, it also has spreading capabilities through file-sharing networks that the worm targets. The W32/Sober.C@mm most likely originates from Germany. The worm is written in Visual Basic, compressed by the UPX executable packer with obfuscated section names. The worm itself, has bugs in its code, causing certain routines within its body to fail at times. The worm can add random data at the end of its body, this leads to a slight difference in size but has no effect on the worms path of execution.

When executed, the worm starts by locating the system directory on the machine. It creates six files under the system directory:
    Files created under the system directory are the following:
  • %system_dir%\Humgly.lkur
    This file is empty to begin with. The name is hardcoded within the worms body.
  • %system_dir%\yfjq.yqwm
    This file is empty to begin with. The name is hardcoded within the worms body.
  • %system_dir%\[random_name].exe
    Copy of the worm, with slight modification
  • %system_dir%\[random_name].exe
    Copy of the worm, with slight modification
  • %system_dir%\syshostx.exe
    Copy of the worm, with slight modification
  • %system_dir%\savesyss.dll
    This file is used by the worm to store all e-mail addresses gathered from the infected system.
The worm determines wether certain file-sharing programs are present on the computer, by first decrypting strings that correspond to default registry values used by those programs, after which the worm performs a check to see wether they are present. The programs that the W32/Sober.C@mm targets are Kazaa, eMule and eDonkey2000, it will upon detection attempt to overwrite the executables present in the shared folders used by those programs.

The following registry keys are created by the worm:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"random_value"="[system_directory]\[worms_name.extension]"

It also creates a RUN value, under the registry value of the current user:

[HKEY_USERS\{user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
"random_value(same as the above)"="[system_directory]\[worms_name.extension]"

To harvest e-mail addresses, W32/Sober.C@mm searches for files with the following extensions:
htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo. Each of the e-mail addresses retreived from the files is written to the %system_dir%\savesyss.dll.

After the W32/Sober.C@mm has infected a system it will display a message box. The message box displayed will be similar to that of:

Title:       [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.
Caption: Stop: 00000010x08

or:

Title:       [Runtime Error] or [Microsoft]
Caption: "[virus_name]" has caused an unknown error.

When the W32/Sober.C@mm is active in memory, it consists of two processes, both containing the worm. These two processes communicate, monitor and exchanging pre-defined message through shared window. When one process is terminated the other will execute it again almost immediately, thus making the task of terminating the worm more difficult.

The e-mails sent out by the W32/Sober.C@mm worm are constructed using predefined keywords and sentences contained within the worms body. The worm can send out e-mails both in German and English. The worm can generate different subject, body and attachment names for each e-mail. When determining whether to send out the e-mails in German or English, the worm relies on the top-level domain of the address it sends an e-mail to. Since the worm has a built-in routine intended to communicate with SMTP servers, it enables the worm to forge the From: address of infected e-mails, it can either forge the From: address, using an e-mail address harvested from the infected system or use a predefined name.
The following are examples of typical e-mails sent out by W32/Sober.C@mm:



To: [address]
From: [forged_address]
Subject: [Your IP was logged] or [Preliminary investigation were started]

Body:
Ladies and Gentlemen,
Downloading of Movies, MP3s and Software is illegal and punishable by law.

We hereby inform you that your computer was scanned under the IP [randomly generated IP address, using the following numbers: 80, 81, 65, 66, 67, 62, 172, 193, 194, 195] . The
contents of your computer were confiscated as an evidence, and you will be indicated.
In the next days, you'll get the charge in writing.
In the Reference code: #32962, are all files, that we found on your computer.

The sender address of this mail was masked, to protect us against mail bombs.


- You get more detailed information by the Federal Bureau of Investigation -FBI-
- Department for "Illegal Internet Downloads", Room 7350
- 935 Pennsylvania Avenue
- Washington, DC 20535, USA
- (202) 324-3000



To: [address]
From: [forged_address]
Subject: Anime, Pokemon, Manga, ...

NEW!
More than 84.000 entries on our page:

All about:
Pokemon, YU-GI-OH, DragonballZ, BeyBlade, Ranma 1/2, and and and
Games, Video's, Pic's, Cards, MP3s, Screen-saver, and and and
and many many more!

And NO DIALERS!

have fun



To: [address]
From: [forged_address]
Subject: Registration confirmation

Thanks for your registration.
( We say Sorry again, the first mail was delivered to an unknown mail address.
This was a bug in our mailing system! )


The amount of 239.- USD was deducted by your credit card.

Welcome,
you can now visit more than 1200 very very hot web pages!
Your registration, pages and passwords are in the attachment.

enjoy





Analysis / Description: Sindri Bjarnason - Virus researcher FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is