FRISK Software International


Summary of W32/Sober.Z@mm
Discovered: 21 Nov 2005
Definition files: 21 Nov 2005
Risk Level: High
Distribution:High
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Sober.Z is a mass mailing worm. When first run it creates the directory "WinSecurity" in the Windows directory and creates there three copies of itself under the names "services.exe","smss.exe" and "csrss.exe". When it's first run it displays a bogus error message, executes all the newly created copies of the worm and exits.


Technical Description
The worm creates the the directory "WinSecurity" in %WINDIR% and there it creates three copies of itself under the names "services.exe","smss.exe" and "csrss.exe". It also drops the files "socket1.ifo", "socket2.ifo", "socket3.ifo", "mssock1.dli", "mssock2.dli", "mssock3.dli", "winmem1.ory", "winmem2.ory" and "winmem3.ory" in the same directory.

The files:

socket1.ifo
socket2.ifo
socket3.ifo

are base-64 encoded copies of the worm.

The worm uses the files:

mssock1.dli
mssock2.dli
mssock3.dli
winmem1.ory
winmem2.ory
winmem3.ory

to store harvested e-mailing information.

When first run the worm displays the following error message:



after which it executes the files:

"%WINDIR%\WinSecurity\services.exe"
"%WINDIR%\WinSecurity\smss.exe"
"%WINDIR%\WinSecurity\csrss.exe"

and terminates.


It adds the values:

" Windows"="%WINDIR%\WinSecurity\services.exe"
"_Windows"="%WINDIR%\WinSecurity\services.exe"

to the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

respectively, so that the worm is executed every time Windows starts.

It then harvests e-mail addresses on available hard drives from files with the following extensions:

pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

The worm sends itself to the harvested addresses as an e-mail attachment.



Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is