FRISK Software International


Summary of W32/Sober.G@mm
Alias:I-Worm.Sober.G, W32/Sober-G, Win32.Sober.G, WORM_SOBER.G
Length: Around 49.670 bytes
Discovered: 13 May 2004
Definition files: 13 May 2004
Risk Level: Medium
Distribution:Medium
Payload: Mass mailing along with ability to download and execute arbitrary file from remote location
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Sober.G@mm is a mass-mailing worm with the ability to download files from a remote location and execute them on the infected system.
The worm will copy itself to the %systemdir%, under a name composed of the following words:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
Example: x:\WINNT\system32\runcrypt.exe

In addition the worm will create the following files under the system directory:
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
NoSpam.readme
datsobex.wwr
xdatxzap.zxp

The worm will create two registry keys to ensure that the copy of the worm now residing under the %systemdir% will be executed upon each Windows startup. The key name is created from the same list as the executable mentioned above. The keys are located at:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"generated name"="%SystemDir%\name_of_worm.exe"
[HKEY_USERS\{Current_User_ID}\Software\Microsoft\Windows\CurrentVersion\Run]
"generated name"="%SystemDir%\name_of_worm.exe"

When sending out e-mail W32/Sober.G@mm can either send them with an english subject/body combination or with a german one. The worm will often insert a fake message claiming that the worms attachment has been scanned by an AV-product.

The attachments have one of the following extensions: .com, .bat, .pif, .scr. The worm can also send itself as a zip archive. The worm will usually send itself with a double-extension, the first of these being any of the following:
.txt, .doc, .word, .xls, .eml.


Technical Description
W32/Sober.G@mm is a mass-mailing worm, written in Visual Basic. The worm is compressed with UPX and has the ability to slightly modify its binary.
After the default Visual Basic initialization routine, the worm creates the following three files under the %systemdir% (the %systemdir% variable will translate to the system directory on the infected system, for Windows 2000 the default is x:\WINNT\system32, for Windows XP the default is x:\Windows\System32, where x: is the name of the installed harddrive, usually c:)

bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk

These files have names identical to those used in previous variants of the W32/Sober family. These files disable previous W32/Sober variants if they are present on the infected system.
During the routine the worm will perform a check, to see whether a file with the anem 'Odin-Anon.Ger' exists within the %systemdir%. If this file exists, the worm will, depending on whether it is already installed, either abort the installation procedure or halt its execution.

W32/Sober.G@mm will create two additional files under the %systemdir%:
datsobex.wwr - Contains an MIME encoded copy of the worm
xdatxzap.zxp - Contains an MIME encoded copy of the worm in a zip archive

At this point, the worm will display a text box:
Title: [File Not Found]
Text: Special-Unzip Data- Module
is missing
Open with notepad?

This text box, will have a [Yes] and [No] button, if the [Yes] button is pressed, the worm will create a new file under the name of Converted_'original filename'.txt (original file will translate into the same name as the original copy of the worm) which contains garbage data. This file is created in the same directory as the original file was executed from.

The worm will copy itself to the %systemdir%, under the name composed of the following words:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
Example: x:\WINNT\system32\runcrypt.exe

The worm will create two registry keys, to ensure that the copy of the worm now residing under the %systemdir% will be executed upon each Windows startup. The key name is composed from the same list as the executable above. The keys are located at:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"generated name"="%SystemDir%\name_of_worm.exe"
[HKEY_USERS\{Current_User_ID}\Software\Microsoft\Windows\CurrentVersion\Run]
"generated name"="%SystemDir%\name_of_worm.exe"

The worm will drop a file under %SystemDir%, with the name of NoSpam.readme. This file contains a message to Antivirus firms in german.

W32/Sober.G@mm has a routine, that can download and execute a file from a remote address through HTTP connections. Those sites are:

home.pages.at
scifi.pages.at
free.pages.at
people.freenet.de
home.arcor.de.

The mass mailing payload of the W32/Sober.G@mm consists of three main components. First the harvesting of e-mail addresses from the infected system is performed, then the worm will attempt to resolve the addresses of several SMTP servers, and finally the worm starts sending out infected e-mails.

W32/Sober.G@mm searches for files with the following extension:

.pmr .stm .slk .inbox .imb .csv .bak .imh .xhtml .imm
.imh .cms .nws .vcf ctl .dhtm .cgi .pp .ppt .msg .jsp
.oft .vbs .uin .ldb .abc .pst .cfg .mdw .mbx .mdx .mda
.adp .nab .fdb .vap .dsp .ade .sln .dsw .mde .frm .bas
.adr .cls .ini .ldif .log .mdb .xml .wsh .tbb .abx .abd
.adb .pl .rtf .mmf .doc .ods .nch .xls .nsf .txt .wab
.eml .hlp .mht .nfo .php .asp .shtml .dbx

The worm examines each file, looking for likely e-mail addresses contained within these files. When harvesting e-mails the worm uses three files located in the %SystemDir% folder, access to these files is blocked while the worm is active in memory:
wincheck32.dats - Contains e-mail addresses harvested from the infected system
winexpoder.dats - Contains the username appended with an @ sign found on the infected system along with domain names
winzweier.dats - Contains list of e-mail addresses generated by the worm

The W32/Sober.G@mm avoids sending out e-mails to addresses that contain any of the following strings:
office, @www, @from., support, redaktion, smtp-, @smtp.,
gold-certs, ftp., .dial., .ppp., anyone, subscribe, announce,
@gmetref, sql., someone, nothing, you@, user@, reciver@,
somebody, secure, msdn., me@, whatever@, whoever@, anywhere,
yourname, mustermann@, .kundenserver., mailer-daemon, variabel,
password, -dav, law2, .sul.t-, .qmail@, t-ipconnect, t-dialin,
ipt.aol, time, postmas, service, freeav, @ca., abuse, winrar,
domain., host., viren, bitdefender, spybot, detection, ewido.,
emsisoft, linux, google, @foo., winzip, @example., bellcore.,
@arin, mozilla, @iana, @avp, @msn, icrosoft., @spiegel.,
@sophos, @panda, @kaspers, free-av, antivir, virus, verizon.,
@ikarus., @nai., @messagelab, nlpmail01., clock.

W32/Sober.G@mm will attempt to resolve MX records for the following domains using a list of IP addresses along with the default DNS server used by the infected system:

microsoft.com, bigfoot.com, yahoo.com, t-online.de, google.com, hotmail.com

If any error occures, either during the connection to those servers or with the communication process, the worm displays a message box with the following details:
Title: [Winsock Error]
Text: STOP: 0X10020AF {Unknown_blocking}
Possible Reason:
Your "Firewall" is blocking one or more System files
Check the Winsock Error Log File" on:
x:\WinsockError.log
The worm creates a file under the name listed in the last line, containing a fake error message similar to the following:

----------------------------------
Occured$: date / time
Error_Description#
System-File: "name_of_worm.exe" was blocked by Firewall

Microsoft Winsock# ID#> 7-digits.v 3-digits (c) by Microsoft

The worm attempts to connect to remote SMTP servers on the same domains as the harvested e-mail addresses. To accomplish this the worm has a built-in SMTP communication routine, that takes care of transferring all the necessary data between the infected machine and the remote mail server. This routine enables W32/Sobig.G@mm to fake the FROM: field of the e-mails. When faking the FROM: address, the worm can either use an address harvested from the infected system or one chosen from the following list:
Info, FehlerMail, Information, Service, Hilife, Webmaster, Hostmaster, Postmaster, User-Info, account, ErrorMail, ReMailer, automailer, Administrator, user-help, Lisa, Peter, Michael, Thomas, Elke, Susi, Nadine.

The worm can send out e-mails both in english and german, e-mails in german will be sent to addresses that have the domains ending with either: .de, .ch, .at, .li or .gmx.

E-mails sent out by W32/Sober.G@mm
Subjects:

hi there, hey dude!, wazzup!!!, yeah dude :P, Details, Oh God its, damn!, #, Registration confirmation, Confirmation, Your Password, Your mail account, Delivery failure notice, Faulty mail delivery, Mail delivery failed, Mailing Error, Illegal signs in E-Mail, Invalid mail length, Mail Delivery failure, mail delivery status, Warning!, error in dbase, DBase Error, ups, ive got your mail, Sorry, thats your mail, why do you do that?.

Message body:

yo wazzup :P
well here is ur stuff! good luck!
cya!

hey man! you?ll not belive me what i?ve found on your computer!^^ ... thats funny dude!
well cya soon

nice pic u send me! here is mine!

I was surprised, too! :-(??
Who could suspect something like that? shit

hey dude!#
ive found a shity virus on my pc. yo must check your pc!
follow the steps in this article.
bye

Life's a Bitch
Smiling Like a Killer

Your password was changed successfully.

Protected message is attached.

Anybody use your accounts and (or) passwords!
For further details see the attachment.

i'm very very sorry, anybody have sent your mail to my account address.

i've read this mail ,,, sorry about that

I've got your mail, but its came on my mail address???

excuse for my bad english, but I'm a Dutchman

Subjects in german:

lol, watn los ey?, Information von, Falsche Mailzustellung, Fehler in Ihrer E-Mail, Ihre E-Mail warfehlerhaft, ESMTP Error, Ungltige Variablen in ihrer E-Mail, Verbindung wurde getrennt, Mail_Fehler, Ihr neuer Account, Neue Account Daten, Sie haben nicht gezahlt, Rechnung, Hi, sei vorsichtig!, Achtung! gefahrlicher Virus!, Schon gehort?, Die Tools!, Dein Zeug's!, Hier fur dich^^, Bestellungs Bestatigung, Lieferungs-Bestatigung, Ok, hier ist mein, Ich habe mich in dich verliebt!.

Message body in german:

Man hort und sieht nikkes mehr von Dir!
Haste D.e.i.n.e. Tage oder so?;) Ware mal sehr nett von dir,
wenn Du mal was von dir horen laaaasssssen tutest(tut tut)!
bis spaeeeter mal

Diese Information ist Passwort geschutzt.
Da Sie uns Ihre Personlichen Daten mitgeteilt haben, ist das Passwort Ihr Geburts-Datum!
Viel Spass mit unserem Angebot

Guten Tag!
Das diese E-Mail automatisch generiert wurde, darf aus
Datenschutzrechtlichen Grunden die vollstandige E-Mail nur
angehangt werden.
Ihre neuen Account Daten finden Sie im beigefugten Dokument.
Vielen Dank fur Ihr Verstandnis.
Wir bitten dies zu berucksichtigen.

Guten Tag,
Da Sie vor einiger Zeit ihren -Tarif bei uns gewechselt
haben, mussen wir darauf hinweisen, dass Ihre Zahlung noch nicht
bei uns eingegangen ist.
Leider mussen wir darauf hinweisen, das rechtliche Schritte gegen Sie eingeleitet werden konnen.
Alle Informationen bezuglich diesem Tarifes finden Sie im mitgesendetem Dokument.
Hochachtungsvoll
R. Peters
### Peters Multi- Media GmbH
### www.domain_of_receiver

Hi... ich wollte dir schnell mal mitteilen, dass sich ein
gefahrlicher Virus/Trojaner uber Internet Seiten verbreitet.
Achte auf die Infos im Anhang!!!
Ciao!

Hey alles klar? Hier sind die Tools die du haben wolltest!
Viel Spa? damit ;)
Cu!

Weitere Informationen befinden sich im Anhang dieser Mail

Da Du mir dein Foto geschickt hast, hier nun ein Bild von mir!

Ja, leider kann ich es nicht andern aber es ist so.
Wenn Du genauso fuhlst, dann schau dir bitte den Anhang an.
Wenn nicht, dann losche ungeoffnet diese Mail! Es ware mir sonst zu peinlich .....

W32/Sober.G@mm sends itself as an attachment, the attachment name is one of the following:
stuff, your_docs, private, ohyeah, photo, shock, thatshard, oh_no, article, more_infos, check_this, p_message, yourmail, idiot, painfulness. The worm will at times insert random digits into the attachment name.
When sending e-mails in german, the attachment name is one of the following:
Jokes, Kundeninfo, Benutzer-Daten, -tarif, Antitext, lese-das, Aufpassen, Tools, daten, Foto, Bild, hallo.

The attachments have one of the following extensions: .com, .bat, .pif, .scr. The worm can also send itself as an zip archive. The worm will usually send itself with double-extensions, the previous being any of the following:
.txt, .doc, .word, .xls, .eml.

In some cases W32/Sober.G@mm inserts a fake message claiming that the attachment has been scanned by an AV-product.


Removal Instructions
For general removal instructions please click here.

Guidelines on Safe Computing
  • Make sure you always have the latest version of F-Prot Antivirus installed on your computer and update the virus signature files regularly:


  • Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.


  • Make sure that your operating system is up-to-date. If you are using Windows, use Windows Automatic Updates and download the service packs when they are released. For more information on keeping Windows up-to-date, please visit Microsoft's Windows Update web site.


  • If you are using Internet Explorer / Outlook Express or Office / Outlook, make sure that you always have the latest versions. Old versions may contain security holes that are used by virus writers to access your computer. Please visit Microsoft's Windows Update web site to update Internet Explorer and Outlook Express and Microsoft's Office Update web site to update Office and Outlook.


  • Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and possible malicious content on the Internet. For more information click here.


  • Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.


  • Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.


  • Use software that detects ad-ware and spyware. For more information click here.

Analysis / description: Sindri Bjarnason - F-Prot Antivirus, Alexey Podrezov - F-Secure
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is