W32/Sober.G@mm is a mass-mailing worm, written in Visual Basic. The worm is compressed with UPX and has the ability to slightly
modify its binary.
After the default Visual Basic initialization routine, the worm creates the following three files under the %systemdir% (the %systemdir% variable will translate to the system directory on the infected system, for Windows 2000 the default is x:\WINNT\system32, for Windows XP the default is x:\Windows\System32, where x: is the name of the installed harddrive, usually c:)
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
These files have names identical to those used in previous variants of the W32/Sober family. These files disable previous W32/Sober variants if they are present on the infected system.
During the routine the worm will perform a check, to see whether a file with the anem 'Odin-Anon.Ger' exists within the %systemdir%. If this file exists, the worm will, depending on whether it is already installed, either abort the installation procedure or halt its execution.
W32/Sober.G@mm will create two additional files under the %systemdir%:
datsobex.wwr - Contains an MIME encoded copy of the worm
xdatxzap.zxp - Contains an MIME encoded copy of the worm in a zip archive
At this point, the worm will display a text box:
Title: [File Not Found]
Text: Special-Unzip Data- Module
is missing
Open with notepad?
This text box, will have a [Yes] and [No] button, if the [Yes] button is pressed, the worm will create a new file under the name of
Converted_'original filename'.txt (original file will translate into the same name as the original copy of the worm) which contains
garbage data. This file is created in the same directory as the original file was executed from.
The worm will copy itself to the %systemdir%, under the name composed of the following words:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
Example: x:\WINNT\system32\runcrypt.exe
The worm will create two registry keys, to ensure that the copy of the worm now residing under the %systemdir% will be executed upon
each Windows startup. The key name is composed from the same list as the executable above. The keys are located at:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"generated name"="%SystemDir%\name_of_worm.exe"
[HKEY_USERS\{Current_User_ID}\Software\Microsoft\Windows\CurrentVersion\Run]
"generated name"="%SystemDir%\name_of_worm.exe"
The worm will drop a file under %SystemDir%, with the name of NoSpam.readme. This file contains a message to Antivirus firms in german.
W32/Sober.G@mm has a routine, that can download and execute a file from a remote address through HTTP connections. Those sites
are:
home.pages.at
scifi.pages.at
free.pages.at
people.freenet.de
home.arcor.de.
The mass mailing payload of the W32/Sober.G@mm consists of three main components. First the harvesting of e-mail addresses from the
infected system is performed, then the worm will attempt to resolve the addresses of several SMTP servers, and finally the worm starts sending out infected e-mails.
W32/Sober.G@mm searches for files with the following extension:
.pmr .stm .slk .inbox .imb .csv .bak .imh .xhtml .imm
.imh .cms .nws .vcf ctl .dhtm .cgi .pp .ppt .msg .jsp
.oft .vbs .uin .ldb .abc .pst .cfg .mdw .mbx .mdx .mda
.adp .nab .fdb .vap .dsp .ade .sln .dsw .mde .frm .bas
.adr .cls .ini .ldif .log .mdb .xml .wsh .tbb .abx .abd
.adb .pl .rtf .mmf .doc .ods .nch .xls .nsf .txt .wab
.eml .hlp .mht .nfo .php .asp .shtml .dbx
The worm examines each file, looking for likely e-mail addresses contained within these files. When harvesting e-mails the worm
uses three files located in the %SystemDir% folder, access to these files is blocked while the worm is active in memory:
wincheck32.dats - Contains e-mail addresses harvested from the infected system
winexpoder.dats - Contains the username appended with an @ sign found on the infected system along with domain names
winzweier.dats - Contains list of e-mail addresses generated by the worm
The W32/Sober.G@mm avoids sending out e-mails to addresses that contain any of the following strings:
office, @www, @from., support, redaktion, smtp-, @smtp.,
gold-certs, ftp., .dial., .ppp., anyone, subscribe, announce,
@gmetref, sql., someone, nothing, you@, user@, reciver@,
somebody, secure, msdn., me@, whatever@, whoever@, anywhere,
yourname, mustermann@, .kundenserver., mailer-daemon, variabel,
password, -dav, law2, .sul.t-, .qmail@, t-ipconnect, t-dialin,
ipt.aol, time, postmas, service, freeav, @ca., abuse, winrar,
domain., host., viren, bitdefender, spybot, detection, ewido.,
emsisoft, linux, google, @foo., winzip, @example., bellcore.,
@arin, mozilla, @iana, @avp, @msn, icrosoft., @spiegel.,
@sophos, @panda, @kaspers, free-av, antivir, virus, verizon.,
@ikarus., @nai., @messagelab, nlpmail01., clock.
W32/Sober.G@mm will attempt to resolve MX records for the following domains using a list of IP addresses along with the default DNS
server used by the infected system:
microsoft.com, bigfoot.com, yahoo.com, t-online.de, google.com, hotmail.com
If any error occures, either during the connection to those servers or with the communication process, the worm displays a message box with
the following details:
Title: [Winsock Error]
Text: STOP: 0X10020AF {Unknown_blocking}
Possible Reason:
Your "Firewall" is blocking one or more System files
Check the Winsock Error Log File" on:
x:\WinsockError.log
The worm creates a file under the name listed in the last line, containing a fake error message similar to the following:
----------------------------------
Occured$: date / time
Error_Description#
System-File: "name_of_worm.exe" was blocked by Firewall
Microsoft Winsock# ID#> 7-digits.v 3-digits (c) by Microsoft
The worm attempts to connect to remote SMTP servers on the same domains as the harvested e-mail addresses. To accomplish this the
worm has a built-in SMTP communication routine, that takes care of transferring all the necessary data between the infected machine and the
remote mail server. This routine enables W32/Sobig.G@mm to fake the FROM: field of the e-mails. When faking the FROM: address, the
worm can either use an address harvested from the infected system or one chosen from the following list:
Info, FehlerMail, Information, Service, Hilife, Webmaster, Hostmaster, Postmaster, User-Info, account, ErrorMail,
ReMailer, automailer, Administrator, user-help, Lisa, Peter, Michael, Thomas, Elke, Susi, Nadine.
The worm can send out e-mails both in english and german, e-mails in german will be sent to addresses that have the domains ending with
either: .de, .ch, .at, .li or .gmx.
E-mails sent out by W32/Sober.G@mm
Subjects:
hi there, hey dude!, wazzup!!!, yeah dude :P, Details,
Oh God its, damn!, #, Registration confirmation, Confirmation,
Your Password, Your mail account, Delivery failure notice,
Faulty mail delivery, Mail delivery failed, Mailing Error,
Illegal signs in E-Mail, Invalid mail length, Mail Delivery failure,
mail delivery status, Warning!, error in dbase, DBase Error, ups,
ive got your mail, Sorry, thats your mail, why do you do that?.
Message body:
yo wazzup :P
well here is ur stuff! good luck!
cya!
hey man! you?ll not belive me what i?ve found on your computer!^^ ... thats funny dude!
well cya soon
nice pic u send me! here is mine!
I was surprised, too! :-(??
Who could suspect something like that? shit
hey dude!#
ive found a shity virus on my pc. yo must check your pc!
follow the steps in this article.
bye
Life's a Bitch
Smiling Like a Killer
Your password was changed successfully.
Protected message is attached.
Anybody use your accounts and (or) passwords!
For further details see the attachment.
i'm very very sorry, anybody have sent your mail to my account address.
i've read this mail ,,, sorry about that
I've got your mail, but its came on my mail address???
excuse for my bad english, but I'm a Dutchman
Subjects in german:
lol, watn los ey?, Information von, Falsche Mailzustellung, Fehler in Ihrer E-Mail,
Ihre E-Mail warfehlerhaft, ESMTP Error, Ungltige Variablen in ihrer E-Mail,
Verbindung wurde getrennt, Mail_Fehler, Ihr neuer Account, Neue Account Daten,
Sie haben nicht gezahlt, Rechnung, Hi, sei vorsichtig!, Achtung! gefahrlicher Virus!,
Schon gehort?, Die Tools!, Dein Zeug's!, Hier fur dich^^, Bestellungs Bestatigung,
Lieferungs-Bestatigung, Ok, hier ist mein, Ich habe mich in dich verliebt!.
Message body in german:
Man hort und sieht nikkes mehr von Dir!
Haste D.e.i.n.e. Tage oder so?;) Ware mal sehr nett von dir,
wenn Du mal was von dir horen laaaasssssen tutest(tut tut)!
bis spaeeeter mal
Diese Information ist Passwort geschutzt.
Da Sie uns Ihre Personlichen Daten mitgeteilt haben, ist das Passwort Ihr Geburts-Datum!
Viel Spass mit unserem Angebot
Guten Tag!
Das diese E-Mail automatisch generiert wurde, darf aus
Datenschutzrechtlichen Grunden die vollstandige E-Mail nur
angehangt werden.
Ihre neuen Account Daten finden Sie im beigefugten Dokument.
Vielen Dank fur Ihr Verstandnis.
Wir bitten dies zu berucksichtigen.
Guten Tag,
Da Sie vor einiger Zeit ihren -Tarif bei uns gewechselt
haben, mussen wir darauf hinweisen, dass Ihre Zahlung noch nicht
bei uns eingegangen ist.
Leider mussen wir darauf hinweisen, das rechtliche Schritte gegen Sie eingeleitet werden konnen.
Alle Informationen bezuglich diesem Tarifes finden Sie im mitgesendetem Dokument.
Hochachtungsvoll
R. Peters
### Peters Multi- Media GmbH
### www.domain_of_receiver
Hi... ich wollte dir schnell mal mitteilen, dass sich ein
gefahrlicher Virus/Trojaner uber Internet Seiten verbreitet.
Achte auf die Infos im Anhang!!!
Ciao!
Hey alles klar? Hier sind die Tools die du haben wolltest!
Viel Spa? damit ;)
Cu!
Weitere Informationen befinden sich im Anhang dieser Mail
Da Du mir dein Foto geschickt hast, hier nun ein Bild von mir!
Ja, leider kann ich es nicht andern aber es ist so.
Wenn Du genauso fuhlst, dann schau dir bitte den Anhang an.
Wenn nicht, dann losche ungeoffnet diese Mail! Es ware mir sonst zu peinlich .....
W32/Sober.G@mm sends itself as an attachment, the attachment name is one of the following:
stuff, your_docs, private, ohyeah, photo, shock, thatshard, oh_no, article, more_infos, check_this, p_message,
yourmail, idiot, painfulness. The worm will at times insert random digits into the attachment name.
When sending e-mails in german, the attachment name is one of the following:
Jokes, Kundeninfo, Benutzer-Daten, -tarif, Antitext, lese-das, Aufpassen, Tools, daten, Foto, Bild, hallo.
The attachments have one of the following extensions: .com, .bat, .pif, .scr. The worm can also send itself as
an zip archive. The worm will usually send itself with double-extensions, the previous being any of the following:
.txt, .doc, .word, .xls, .eml.
In some cases W32/Sober.G@mm inserts a fake message claiming that the attachment has been scanned by an AV-product. |
