McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Sober (AVP)

• W32.Sober@mm (Symantec)

• W32/Sober@MM

• Win32.HLLM.Odin (Dialogue Science)

• Win32/Sober.A (Eset)

Characteristics

-- Update 27th October 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at:
http://www.vnunet.com/News/1145981

This detection is for a mass-mailing worm written in Visual Basic. The files received by AVERT have been packed with UPX.  It arrives as an email attachment, which may have one of the following filenames:

• Anti-Sob.bat
• anti-Sob.bat
• AntiTrojan.exe
• anti-trojan.exe
• AntiVirusDoc.pif
• Bild.scr
• Check-Patch.bat
• check-patch.bat
• CM-Recover.com
• CM-recover.com
• Funny.scr
• funny.scr
• Hengst.pif
• Liebe.com
• little-scr.scr
• love.com
• Mausi.scr
• nacked.com
• NackiDei.com
• NAV.pif
• Odin_Worm.exe
• perversion.scr
• Perversionen.scr
• pic.scr
• playme.exe
• potency.pif
• Privat.exe
• private.exe
• Removal-Tool.exe
• removal-tool.exe
• robot_mail.scr
• robot_mailer.pif
• RobotMailer.com
• schnitzel.exe
• screen_doc.scr
• Screen_Doku.scr
• security.pif

NOTE: The virus has been known to send the contents of the harvested address file (MEDIA.DLL) as an attachment, with one of the aforementioned attachment names, rather than the worm itself.  Such files would not be detected and are not viral.

Multiple subject lines are used in outgoing messages, in English and German. The worm may construct the message in an attempt to fool the recipient that it is an update from an anti-virus company.

The worm bears the following characteristics:

• It contains its own SMTP engine
• Target email addresses are harvested from files on the local machine
• Messages may be formatted with multiple subject lines, attachment lines and message bodies
• The worm may have garbage appended to the end of file, so the filesize may be larger than 63,488 bytes

The worm constructs messages using its own SMTP engine. Target email addresses are harvested from the victim machine - found email addresses are written to the following file:

%SysDir%\MACROMED\HELP\MEDIA.DLL

(Where %SysDir% is the Windows System directory. The MACROMED\HELP directories are created by the worm)

The worm installs itself into %SysDir% on the victim machine:

• %SysDir%\SIMILARE.EXE

Additionally, two other copies of the worm are dropped with varying filename, for example:

• %SysDir%\WINREG.EXE
• %SysDir%\FILEXE.EXE
• %SysDir%\ANTIV.EXE
• %SysDir%\SYSTEMINI.EXE   
• %SysDir%\DRIVERINI.EXE
• %SysDir%\SYSTEMCHK.EXE

These two latter files are responsible for monitoring and maintaining that the worm stays resident in memory.  Upon termination of one worm processes, another copy will restart the terminated process very quickly.

Keys are added in the Registry to hook system startup, for example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\FILEXE.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\FILEXE.EXE

Where (string) varies between infections.

Upon execution, the worm displays a fake error message:

Title Bar: Error
Message: File not complete!

Symptoms

• Presence of the files/Registry keys detailed above

Method of Infection

This worm is intended to propagate via emailing itself to email addresses extracted from the victim machine. It constructs outgoing messages (with varying subject lines, attachment names and message bodies) using its own SMTP engine.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

The AVERT stand-alone removal tool Stinger has been updated to detect and remove this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Sober (AVP)

• W32.Sober@mm (Symantec)

• W32/Sober@MM

• Win32.HLLM.Odin (Dialogue Science)

• Win32/Sober.A (Eset)

Characteristics

Characteristics -

-- Update 27th October 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at:
http://www.vnunet.com/News/1145981

This detection is for a mass-mailing worm written in Visual Basic. The files received by AVERT have been packed with UPX.  It arrives as an email attachment, which may have one of the following filenames:

• Anti-Sob.bat
• anti-Sob.bat
• AntiTrojan.exe
• anti-trojan.exe
• AntiVirusDoc.pif
• Bild.scr
• Check-Patch.bat
• check-patch.bat
• CM-Recover.com
• CM-recover.com
• Funny.scr
• funny.scr
• Hengst.pif
• Liebe.com
• little-scr.scr
• love.com
• Mausi.scr
• nacked.com
• NackiDei.com
• NAV.pif
• Odin_Worm.exe
• perversion.scr
• Perversionen.scr
• pic.scr
• playme.exe
• potency.pif
• Privat.exe
• private.exe
• Removal-Tool.exe
• removal-tool.exe
• robot_mail.scr
• robot_mailer.pif
• RobotMailer.com
• schnitzel.exe
• screen_doc.scr
• Screen_Doku.scr
• security.pif

NOTE: The virus has been known to send the contents of the harvested address file (MEDIA.DLL) as an attachment, with one of the aforementioned attachment names, rather than the worm itself.  Such files would not be detected and are not viral.

Multiple subject lines are used in outgoing messages, in English and German. The worm may construct the message in an attempt to fool the recipient that it is an update from an anti-virus company.

The worm bears the following characteristics:

• It contains its own SMTP engine
• Target email addresses are harvested from files on the local machine
• Messages may be formatted with multiple subject lines, attachment lines and message bodies
• The worm may have garbage appended to the end of file, so the filesize may be larger than 63,488 bytes

The worm constructs messages using its own SMTP engine. Target email addresses are harvested from the victim machine - found email addresses are written to the following file:

%SysDir%\MACROMED\HELP\MEDIA.DLL

(Where %SysDir% is the Windows System directory. The MACROMED\HELP directories are created by the worm)

The worm installs itself into %SysDir% on the victim machine:

• %SysDir%\SIMILARE.EXE

Additionally, two other copies of the worm are dropped with varying filename, for example:

• %SysDir%\WINREG.EXE
• %SysDir%\FILEXE.EXE
• %SysDir%\ANTIV.EXE
• %SysDir%\SYSTEMINI.EXE   
• %SysDir%\DRIVERINI.EXE
• %SysDir%\SYSTEMCHK.EXE

These two latter files are responsible for monitoring and maintaining that the worm stays resident in memory.  Upon termination of one worm processes, another copy will restart the terminated process very quickly.

Keys are added in the Registry to hook system startup, for example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\FILEXE.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\FILEXE.EXE

Where (string) varies between infections.

Upon execution, the worm displays a fake error message:

Title Bar: Error
Message: File not complete!

Symptoms

Symptoms -

• Presence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

This worm is intended to propagate via emailing itself to email addresses extracted from the victim machine. It constructs outgoing messages (with varying subject lines, attachment names and message bodies) using its own SMTP engine.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

The AVERT stand-alone removal tool Stinger has been updated to detect and remove this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A