FRISK Software International


Summary of W32/Sober.J@mm
Alias:W32/Sober.I@mm, I-Worm.Sober.I, WORM_SOBER.I
Length: 46.056 bytes
Discovered: 19 Nov 2004
Definition files: 19 Nov 2004
Risk Level: High
Distribution:High
Payload: mass mailing, has the ability to retrieve and execute additional files from remote locations
 
Jump to:
Brief description
Technical description

Brief Description
W32/Sober.J@mm is a mass-mailing worm that can send out e-mails both in english and german. When executed the worm creates several files (please note that the $systemdir% translates to the system directory on the infected system):

%systemdir%\winsend32.dal - Used by the worm to store user names it harvests
%systemdir%\winroot64.dal - Used to store full e-mail addresses harvested
%systemdir%\winexerun.dal - Contains e-mail addresses harvested and generated
%systemdir%\winmprot.dal - Contains e-mail addresses harvested and generated
%systemdir%\zippedsr.piz - Contains mime encoded copy of the worm
%systemdir%\nonzipsr.noz - Contains mime encoded copy of the worm
%systemdir%\clsobern.isc - Identical to the nonzipsr.noz file
%systemdir%\sb2run.dii - Identical to the zippedsr.piz file
%systemdir%\cvqaikxt.apk
%systemdir%\sysmms32.lla
%systemdir%\clonzips.ssc
%systemdir%\dgssxy.yoi
%systemdir%\Odin-Anon.Ger
%systemdir%\cvqaikxt.apk

The worm creates two copies of itself under the system directory, generating the name by randomly combining words from the following list, e.g. "%systemdir%\hostdirrun.exe", "%systemdir%\smss32.exe":
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32.

The following registry keys are added by W32/Sober.J@mm to ensure that the worm is executed on each Windows startup:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[random]="%systemdir%\generated_name"
[random]="%systemdir%\generated_name %srun%"

[HKEY_USERS\{current_user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
[random]="%systemdir%\generated_name"
[random]="%systemdir%\generated_name %srun%"

W32/Sober.J@mm searches through all logical drives present on the infected system, attempting to harvest e-mail addresses from files with certain file extensions.

The attachments sent by W32/Sober.J@mm are composed using the following list of names:
im_shocked, thats_hard, oh_nono, corrected, original, re_mail, auto__mail, mail, re-mail_system, Error_Mail.
The attachments have one of the following extensions: .com, .bat, .pif, .scr. The worm can also send itself as a zip archive. The worm will usually send itself with double-extensions, the previous being any of the following: .txt, .doc, .word, .xls, .eml.


Technical Description
W32/Sober.J@mm is a mass-mailing worm written in Visual Basic, compressed with the UPX that has been slightly altered.

When executed the worm creates several files (please note that the $systemdir% translates to the system directory on the infected system), some of these files serve the purpose of disabling previous variants of the W32/Sober family, while others serve as data storage for the worm during execution:

%systemdir%\winsend32.dal - Used by the worm to store user names it harvests
%systemdir%\winroot64.dal - Used to store full e-mail addresses harvested
%systemdir%\winexerun.dal - Contains e-mail addresses harvested and generated
%systemdir%\winmprot.dal - Contains e-mail addresses harvested and generated
%systemdir%\zippedsr.piz - Contains mime encoded copy of the worm
%systemdir%\nonzipsr.noz - Contains mime encoded copy of the worm
%systemdir%\clsobern.isc - Identical to the nonzipsr.noz file
%systemdir%\sb2run.dii - Identical to the zippedsr.piz file
%systemdir%\cvqaikxt.apk
%systemdir%\sysmms32.lla
%systemdir%\clonzips.ssc
%systemdir%\dgssxy.yoi
%systemdir%\Odin-Anon.Ger
%systemdir%\cvqaikxt.apk

The worm creates two copies of itself under the system directory, generating the name by randomly combining words from the following list, e.g. "%systemdir%\hostdirrun.exe", "%systemdir%\smss32.exe":
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32.

The following registry keys are added by W32/Sober.J@mm to ensure that the worm is executed on each Windows startup:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[random]="%systemdir%\generated_name"
[random]="%systemdir%\generated_name %srun%"

[HKEY_USERS\{current_user_id}\Software\Microsoft\Windows\CurrentVersion\Run]
[random]="%systemdir%\generated_name"
[random]="%systemdir%\generated_name %srun%"

Shortly after execution, the worm displays a fake error message:

Title: [WinZip Self-Extractor]
Text: [WinZip_Data_Module is missing ~Error: {random_char_sequence}

The initial network traffic caused by the W32/Sober.J@mm worm, consists of DNS traffic resolving the names of several NTP (Network Time Protocol) servers around the world, along with resolving MX records for the following domains:

hotmail.com,
online.de,
bigfoot.com,
microsoft.com,
yahoo.com,
google.com.

Having resolved the address of the NTP servers, it will make a connection and retrieve the current date. The NTP servers used are:

ntp.metas.ch, vega.cbk.poznan.pl, ptbtime2.ptb.be,
utcnist.colorado.edu, time-a.timefreq.bldrdoc.gov,
time.xmission.com, time.nrc.ca, clock.psu.edu,
time.nist.gov, ntp-sop.inria.fr, swisstime.ethz.ch,
gnomon.cc.columbia.edu, ntp.maths.tcd.ie,
nist1.datum.com, ntp-1.ece.cmu.edu, time.ien.it,
rolex.peachnet.edu, ntp2.ien.it,
time-a.timefreq.bldrdoc.gov, timelord.uregina.ca,
ntp0.fau.de.

If any failure occurs during these routines, such as the domain names not being resolved or the connection not being successful, the worm displays the following error message:

[Winsock error]
Stop: 0x10020A2F {Unknown Blocking}

Possible reason:
Your "Firewall" is blocking one or more system files

Check the "Winsock Error Log File" on:
x:\WinsockError.log

W32/Sober.J@mm searches through any logical drive present on the infected system looking for files with the following extensions:

.pmr .stm .slk .inbox .imb .csv .bak .imh .xhtml .imm .imh .cms
.nws .vcf .ctl .dhtm .cgi .pp .ppt .msg .jsp .oft .vbs .uin .ldb .abc
.pst .cfg .mdw .mbx .mdx .mda .adp .nab .fdb .vap .dsp .ade
.sln .dsw .mde .frm .bas .adr .cls .ini .ldif .log .mdb .xml .wsh .tbb
.abx .abd .adb .pl .rtf .mmf .doc .ods .nch .xls .nsf .txt .wab .eml
.hlp .mht .nfo .php .asp .shtml .dbx .txt


If a file matching any these extensions is located, the worm parses through the file looking for possible e-mail addresses. When harvesting e-mail addresses, the worm ignores addresses containing any of the following strings:
ntp- ntp@ office @www @from. support redaktion smtp- @smtp. gold-certs ftp. .dial. .ppp.anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure msdn. me@ whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel password noreply -dav law2 .sul .t- .qmail@ t-ipconnect t-dialin ipt.aol time postmas service freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux google @foo. winzip @example. bellcore. @arin mozilla @iana @avp @msn icrosoft. @spiegel. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock sender youremail home.com hotmail. t-online hostmaster webmaster info .edu

Once the harvesting routine is completed the worm carries out the mass mailing routine. When constructing new e-mails, the worm uses both hardcoded values for certain fields along with customizing certain messages, such as filling in the target domain name for fake anti-virus messages within the body. The worm attempts to connect to remote SMTP servers on the same domains as the harvested e-mail addresses. To accomplish this the worm has a built-in SMTP communication routine that takes care of transferring all the necessary data between the infected machine and the remote mail server. This routine enables W32/Sober.J@mm to fake the FROM: field of the e-mails. When faking the FROM: address, the worm can either use an address harvested from the infected system or one chosen from several predefined ones such as: Benutzer_Daten, Information, Service, Hilfe, Webmaster, Postmaster, Benutzer-Info etc.
Typical e-mails sent by W32/Sober.J@mm have the following symptoms, the worm can send out e-mails in both english and german, either one is chosen based on the top level domain for the target e-mail address.

Subject in english (the subject might appear with either a RE: or FWD: prefix):
Details
Oh God its
Registration confirmation
Confirmation
Your Password
Your mail password
Delivery_failure_notice
Faulty_mail delivery
Mail delivery_failed
Mail Error
illegal signs in your mail
invalid mail
Mail_Delivery_failure
mail delivery system

Subjects in german:
Info von
Mailzustellung fehlgeschlagen
Fehler in E-Mail
Ihre E-Mail wurde verweigert
Mailer Error
Ungltige Zeichen in Ihrer E-Mail
Mail- Verbindung wurde abgebrochen
Mailer-Fehler:Betr.- Ihr Account
Ihre neuen Account-Daten
Auftragsbestõtigung
Lieferungs-Bescheid


The body is composed of the following strings, note that at times W32/Sober.J@mm appends a fake anti-virus scanner message declaring the e-mail virus-free.
++++++ User-Service: http://www.[target address domain name]
++++++ MailTo: postmaster
new_account, info, hostmaster, SMTP:, error_, More info about ---- under: http://www.[target address domain name], End, The, corrected, full, original, mail is attached., Auto_Mail.System: [], auto__mail., mail, Error_Mail, webmaster, e-mail_system, Auto-Mailer, Attachment: No Virus found, MAILBOX NOT FOUND, Mail_Scanner: No Virus, Anti_Virus: No Virus was found, Remote_host_said:, _Requested_action_not_taken, mailbox_unavailable, This_account_has_been_disabled, discontinued, _does_not_like_recipient, sender., _failed_after_I_sent_the_message.

Some of the common templates are:

I was surprised, too!
Who could suspect something like that? shity

Your password was changed successfully!
Protected message is attached!


Common strings used in german bodys:
Da Sie uns Ihre Persnlchen Daten zugesandt haben, ist das Passwort Ihr Geburts- Datum.
Im I-Net unter: http://www.[target address domain name]
------ www.[target address domain name] -------
Mehr Information erhalten Sie unter http://www.[target address domain name]
Folgende Fehler wurden aufgezeichnet:
Aus Datenschutzrechtlichen Grnden, darf die vollstõndige E-Mail incl.
Daten nur angehõngt werden.
GmbH & Co. KG
Wir bitten Sie, dieses zu ber
Automatic-Mail.Config#:
Vielen Dank fr Ihr Verstõndnis.
da unsere Datenbanken leider durch einen Programm Fehler zerst
rt wurden, mussten wir leider eine -nderung bez³glich Ihrer Nutzungs- Daten vornehmen.
Ihre geõnderten Account Daten, befinden Sie im beigefgten Dokument.
Weitere Informationen befinden sich im Anhang dieser Mail

Attachments sent by the W32/Sober.J@mm are composed using the following list of names:
im_shocked, thats_hard, oh_nono, corrected, original, re_mail, auto__mail, mail, re-mail_system, Error_Mail.
The attachments have one of the following extensions: .com, .bat, .pif, .scr. The worm can also send itself as a zip archive. The worm will usually send itself with double-extensions, the first of which can be any of the following: .txt, .doc, .word, .xls, .eml.


Sindri Bjarnason - virus researcher FRISK Software Int.
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is