McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Sober.C (F-Secure)

• W32.Sober.C@mm (Symantec)

• WORM_SOBER.C (Trend)

Characteristics

-- Update 30th Dec 2003 --
The risk assessment was reduced to Low-Profiled due to a decrease in prevalence.

-- Update 21st Dec 2003 16:12 PST --
W32/Sober.c@MM has been deemed Medium due to increasing prevalence.
Please note: because of the characteristics of this worm you may be at higher risk in Germany or German-speaking regions.

--

This detection is for a mass-mailing worm written in Visual Basic. Similar to its predecessor (W32/Sober.b@MM ) the worm bears the following characteristics:

• contains its own SMTP engine
• source/target email addresses are harvested from the victim machine
• the worm may carry garbage at end of file, so the file size may be larger than 74,223 bytes.
• outgoing messages may be formatted with varying subject lines and message bodies (in English and German)
• two processes run on the victim machine in order to ensure the worm stays memory resident. Upon termination of one of the processes, the other process restarts it very quickly.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to the file SAVESYSS.DLL in the %SysDir% . For example:

• C:\WINNT\SYSTEM32\SAVESYSS.DLL
  Outgoing messages are constructed using the worm's own SMTP engine. The messages may be written in either English or German, and the attachment filename can vary.

Messages are formatted with various subject lines, body contents and attachment filenames, some examples:

Subject Lines:

• Betr: Klassentreffen
• Testen Sie ihren IQ
• Bankverbindungs- Daten
• Neuer Dialer Patch!
• Ermittlungsverfahren wurde eingeleitet
• Ihre IP wurde geloggt
• Sie sind ein Raubkopierer
• Sie tauschen illegal Dateien aus
• Ich hasse dich
• Ich zeige sie an!
• Sie Drohen mir
• you are an idiot
• why me?
• I hate you
• Preliminary investigation were started
• Your IP was logged
• You use illegal File Sharing ...

Attachment:

• www.iq4you-german-test.com
• www.freewantiv.com
• www.free4manga.com
• www.free4share4you.com
• www.tagespolitik-umfragen.com
• www.onlinegamerspro-worm.com
• www.freegames4you-gzone.com
• www.boards4all-terror432.com
• www.anime4allfree.com
• www.animepage43252.com
• yourmail
• alledigis
• aktenz

(Attachments may end in any one of the following extensions, and may be preceeded with .txt or .doc, and or a random number)

• com
• bat
• cmd
• pif
• scr
• exe
• com

Installation

Upon execution, a fake error messages is displayed. The message starts with the filename in quotes.  For example:

The worm installs itself into %SysDir% on the victim machine:

• %SysDir%\SYSHOSTX.EXE

Additionally, and in common with W32/Sober.b@MM, two other copies of the worm are dropped into %SysDir% , with varying filename. For example:

• %SysDir%\ONDMONSTR.EXE
• %SysDir%\DATMSCRYPT.EXE

These two latter files are responsible for monitoring and maintaining that the worm stays resident in memory. Upon termination of one worm processes, another copy will restart the terminated process very quickly.

System startup is hooked via the two Registry keys, hooking one of these latter copies of the worm. For example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ONDMONSTR.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ONDMONSTR.EXE

Where "string" varies between infections.

The following files are also dropped to the victim machine (0 bytes in testing):

• %SysDir%\HUMGLY.LKUR
• %SysDir%\YFJQ.YQWM

Symptoms

Method of Infection

Removal

All Users :
AVERT considers this to be a medium risk threat. The current dat files detect and remove all viral, executable, components of W32/Sober.  Zero byte (or empty) files, and data components (harvested email addresses) may be removed manually.  These files are:

• %SysDir%\SAVESYSS.DLL
• %SysDir%\HUMGLY.LKUR
• %SysDir%\YFJQ.YQWM

(Where %SysDir% is the windows system directory, such as c:\windows\system32 or c:\winnt\system32)

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Optional Stand Alone Removal Tool :
For unprotected desktop systems that have contracted the virus, the AVERT Stinger tool has been updated to detect and remove W32/Sober.c@MM

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Sober.C (F-Secure)

• W32.Sober.C@mm (Symantec)

• WORM_SOBER.C (Trend)

Characteristics

Characteristics -

-- Update 30th Dec 2003 --
The risk assessment was reduced to Low-Profiled due to a decrease in prevalence.

-- Update 21st Dec 2003 16:12 PST --
W32/Sober.c@MM has been deemed Medium due to increasing prevalence.
Please note: because of the characteristics of this worm you may be at higher risk in Germany or German-speaking regions.

--

This detection is for a mass-mailing worm written in Visual Basic. Similar to its predecessor (W32/Sober.b@MM ) the worm bears the following characteristics:

• contains its own SMTP engine
• source/target email addresses are harvested from the victim machine
• the worm may carry garbage at end of file, so the file size may be larger than 74,223 bytes.
• outgoing messages may be formatted with varying subject lines and message bodies (in English and German)
• two processes run on the victim machine in order to ensure the worm stays memory resident. Upon termination of one of the processes, the other process restarts it very quickly.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to the file SAVESYSS.DLL in the %SysDir% . For example:

• C:\WINNT\SYSTEM32\SAVESYSS.DLL
  Outgoing messages are constructed using the worm's own SMTP engine. The messages may be written in either English or German, and the attachment filename can vary.

Messages are formatted with various subject lines, body contents and attachment filenames, some examples:

Subject Lines:

• Betr: Klassentreffen
• Testen Sie ihren IQ
• Bankverbindungs- Daten
• Neuer Dialer Patch!
• Ermittlungsverfahren wurde eingeleitet
• Ihre IP wurde geloggt
• Sie sind ein Raubkopierer
• Sie tauschen illegal Dateien aus
• Ich hasse dich
• Ich zeige sie an!
• Sie Drohen mir
• you are an idiot
• why me?
• I hate you
• Preliminary investigation were started
• Your IP was logged
• You use illegal File Sharing ...

Attachment:

• www.iq4you-german-test.com
• www.freewantiv.com
• www.free4manga.com
• www.free4share4you.com
• www.tagespolitik-umfragen.com
• www.onlinegamerspro-worm.com
• www.freegames4you-gzone.com
• www.boards4all-terror432.com
• www.anime4allfree.com
• www.animepage43252.com
• yourmail
• alledigis
• aktenz

(Attachments may end in any one of the following extensions, and may be preceeded with .txt or .doc, and or a random number)

• com
• bat
• cmd
• pif
• scr
• exe
• com

Installation

Upon execution, a fake error messages is displayed. The message starts with the filename in quotes.  For example:

The worm installs itself into %SysDir% on the victim machine:

• %SysDir%\SYSHOSTX.EXE

Additionally, and in common with W32/Sober.b@MM, two other copies of the worm are dropped into %SysDir% , with varying filename. For example:

• %SysDir%\ONDMONSTR.EXE
• %SysDir%\DATMSCRYPT.EXE

These two latter files are responsible for monitoring and maintaining that the worm stays resident in memory. Upon termination of one worm processes, another copy will restart the terminated process very quickly.

System startup is hooked via the two Registry keys, hooking one of these latter copies of the worm. For example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ONDMONSTR.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ONDMONSTR.EXE

Where "string" varies between infections.

The following files are also dropped to the victim machine (0 bytes in testing):

• %SysDir%\HUMGLY.LKUR
• %SysDir%\YFJQ.YQWM

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users :
AVERT considers this to be a medium risk threat. The current dat files detect and remove all viral, executable, components of W32/Sober.  Zero byte (or empty) files, and data components (harvested email addresses) may be removed manually.  These files are:

• %SysDir%\SAVESYSS.DLL
• %SysDir%\HUMGLY.LKUR
• %SysDir%\YFJQ.YQWM

(Where %SysDir% is the windows system directory, such as c:\windows\system32 or c:\winnt\system32)

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Optional Stand Alone Removal Tool :
For unprotected desktop systems that have contracted the virus, the AVERT Stinger tool has been updated to detect and remove W32/Sober.c@MM

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A