Content

W32/Sober.d@MM

Type
Virus
SubType
E-mail
Discovery Date
03/07/2004
Length
33,792 bytes
Minimum DAT
4334 (03/08/2004)
Updated DAT
4633 (11/21/2005)
Minimum Engine
5.1.00
Description Added
03/07/2004
Description Modified
03/13/2004 4:55 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 13th 2004 --
Due to decreased prevalence, the risk assessment of this threat has been lowered to Low-Profiled
--

-- Update March 8th 2004 03.18 PST --
Due to increased prevalence, the risk assessment of this threat has been raised to medium
--

If you think that you may be infected with Sober.d, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This detection is for a mass-mailing worm written in Visual Basic. Similar to its predecessor (W32/Sober.c@MM ) the worm bears the following characteristics:

  • contains its own SMTP engine
  • source/target email addresses are harvested from the victim machine
  • outgoing messages claims to contain a patch by Microsoft (in English and German)
  • Mail Propagation

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to the file MSLOGS32.DLL in %SysDir%.

Outgoing messages are constructed using the worm's own SMTP engine. The messages may be written in either English or German, and the attachment filename can vary. The recipient email address is used in determining the language to use for the message. If it contains any of the following, German is selected:

  • .de
  • .ch
  • .at
  • .li
  • @gmx

Email addresses are harvested from files containing the following extensions:

  • log
  • mdb
  • tbb
  • abd
  • adb
  • pl
  • rtf
  • doc
  • xls
  • txt
  • wab
  • eml
  • php
  • asp
  • shtml
  • dbx
  • ttt
  • wab
  • tbb

The email messages claim to be from Microsoft containing a patch for the W32/Mydoom@MM virus. Below are some examples:

From: (sender )@microsoft.(country ) where sender is taken from the following list:

  • Info
  • Center
  • UpDate
  • News
  • Help
  • Studio
  • Alert
  • Security

And country is taken from the following list:

  • de (for messages in German)  
  • at (for messages in German)
  • com (for messages in English)

Subject: Varies, and contains random characters. For German and English messages respectively, the subject line starts:

  • Microsoft Alarm: Bitte Lessen!
  • Microsoft Alert: Please Read!

Body:

 (German version)
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorg
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner! Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.

Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Sch
+++
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

(English version)
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19 com

Attachment:  Either a .EXE or .ZIP, with varying filename. The EXE filename is constructed from a name and a random number component (optional). The name is chosen from the following list:

  • sys-patch
  • MS-UD
  • MS-Security
  • Patch
  • Update
  • MS-Q

The random number may be 5 or 10 digits long. For example:

  • MS-UD89021.EXE
  • MS-Q4532364791.EXE

If mailed within a ZIP file, initial analysis suggests the worm uses the following filename within the ZIP:

  • MS-Q(10-digits).EXE

The virus does not mail itself to email addresses containing any of the following strings:

  • @arin
  • @avp
  • @foo.
  • @iana
  • @ikarus.
  • @kaspers
  • @messagelab
  • @msn.
  • @nai.
  • @ntp.
  • @panda
  • @sophos
  • abuse
  • admin
  • antivir
  • bitdefender
  • clock
  • detection
  • domain.
  • emsisoft
  • ewido.
  • free-av
  • google
  • host.
  • hotmail
  • info@
  • linux
  • microsoft.
  • mozilla
  • ntp-
  • ntp@
  • office
  • password
  • postmas
  • redaktion
  • service
  • spybot
  • support
  • symant
  • t-online
  • time
  • variabel
  • verizon.
  • viren
  • virus
  • winrar
  • winzip

Symptoms

Installation

Upon execution, the following fake error messages may be displayed.  For example:

The virus installs itself to the %SYSDIR% directory of the victim machine, using one of various possible filenames (constructed from a string pool carried within the worm). For example:

  • %SYSDIR%\diagwinhost.exe
     

It also adds the following registry key to run itself at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run\disc32data "spool32" = %SYSDIR%\diagwinhost.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \RunOnce "diagdir" = %SYSDIR%\diagwinhost.exe %1

The filenames and Registry keys used are random and are made up from the following list of strings:

  • sys
  • host
  • dir
  • explorer
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

The worm also drops the following files into the %SYSDIR%:

  • Humgly.lkur (0 bytes at testing)
  • temp32x.data (46,244 bytes, Base-64 encoded copy of the worm)
  • wintmpx33.dat (46,426 bytes, Base-64 encoded ZIP containing the worm)
  • yfjq.yqwm (0 bytes at testing)
  • zmndpgwf.kxx  (0 bytes at testing)

(where %SYSDIR% is C:\winnt\system32 or C:\windows\system32)

Method of Infection

  • Propagates through email. User would need to manually run the attachment in order to be infected

Removal

All Users
 Use the latest engine and DAT files for detection and removal.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Run a system scan using the specified engine/DATs.
  3. Delete files flagged as infected
  4. Restart machine in default mode.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. The filename used by the worm is constructed from strings as detailed above. For example:
      1. rundiscexplorer.exe
      2. rundircrypt.exe
      3. sys32dirdisc.exe
      4. etc etc
  3. Delete this file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
  4. Delete the following files from the same directory:
      1. Humgly.lkur
      2. temp32x.data
      3. wintmpx33.dat
      4. yfjq.yqwm
      5. zmndpgwf.kxx
      6. mslogs32.dll
  5. Edit the registry
    A similar string is constructed for using in the Registry modifications made to hook system startup.
    • Delete the following key:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\
        Windows\CurrentVersion\Run\(constructed string)
    • Delete the following value:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\RunOnce "constructed string"
  6. Reboot the system into Default Mode

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

McAfee Threatscan
ThreatScan signatures that can detect the W32/Sober.d@MM virus are available from:

ThreatScan Signature version: 2004-03-08

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

Run the "ThreatScan Template Report"
Look for module number #4070

Sniffer® Technologies
Since this is a mass mailing virus only and does not have any remote component; due to changing offset for subject mail from and the attachments for the emails mentioned in the virus, we cannot create a Sniffer filter for this virus.
Recommendation for customers:

1) Create a capture profile with Capture on only SMTP traffic.
2) Analyze the traffic for Subject, Mail To, and Attachments in the Decode mentioned in this description to identify if there is a virus propagating from specific IP's.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32/Roca-A (Sophos)
  • Win32/Roca.A@mm (GeCAD)

Characteristics

Characteristics -

-- Update March 13th 2004 --
Due to decreased prevalence, the risk assessment of this threat has been lowered to Low-Profiled
--

-- Update March 8th 2004 03.18 PST --
Due to increased prevalence, the risk assessment of this threat has been raised to medium
--

If you think that you may be infected with Sober.d, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This detection is for a mass-mailing worm written in Visual Basic. Similar to its predecessor (W32/Sober.c@MM ) the worm bears the following characteristics:

  • contains its own SMTP engine
  • source/target email addresses are harvested from the victim machine
  • outgoing messages claims to contain a patch by Microsoft (in English and German)
  • Mail Propagation

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to the file MSLOGS32.DLL in %SysDir%.

Outgoing messages are constructed using the worm's own SMTP engine. The messages may be written in either English or German, and the attachment filename can vary. The recipient email address is used in determining the language to use for the message. If it contains any of the following, German is selected:

  • .de
  • .ch
  • .at
  • .li
  • @gmx

Email addresses are harvested from files containing the following extensions:

  • log
  • mdb
  • tbb
  • abd
  • adb
  • pl
  • rtf
  • doc
  • xls
  • txt
  • wab
  • eml
  • php
  • asp
  • shtml
  • dbx
  • ttt
  • wab
  • tbb

The email messages claim to be from Microsoft containing a patch for the W32/Mydoom@MM virus. Below are some examples:

From: (sender )@microsoft.(country ) where sender is taken from the following list:

  • Info
  • Center
  • UpDate
  • News
  • Help
  • Studio
  • Alert
  • Security

And country is taken from the following list:

  • de (for messages in German)  
  • at (for messages in German)
  • com (for messages in English)

Subject: Varies, and contains random characters. For German and English messages respectively, the subject line starts:

  • Microsoft Alarm: Bitte Lessen!
  • Microsoft Alert: Please Read!

Body:

 (German version)
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorg
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner! Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.

Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Sch
+++
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

(English version)
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19 com

Attachment:  Either a .EXE or .ZIP, with varying filename. The EXE filename is constructed from a name and a random number component (optional). The name is chosen from the following list:

  • sys-patch
  • MS-UD
  • MS-Security
  • Patch
  • Update
  • MS-Q

The random number may be 5 or 10 digits long. For example:

  • MS-UD89021.EXE
  • MS-Q4532364791.EXE

If mailed within a ZIP file, initial analysis suggests the worm uses the following filename within the ZIP:

  • MS-Q(10-digits).EXE

The virus does not mail itself to email addresses containing any of the following strings:

  • @arin
  • @avp
  • @foo.
  • @iana
  • @ikarus.
  • @kaspers
  • @messagelab
  • @msn.
  • @nai.
  • @ntp.
  • @panda
  • @sophos
  • abuse
  • admin
  • antivir
  • bitdefender
  • clock
  • detection
  • domain.
  • emsisoft
  • ewido.
  • free-av
  • google
  • host.
  • hotmail
  • info@
  • linux
  • microsoft.
  • mozilla
  • ntp-
  • ntp@
  • office
  • password
  • postmas
  • redaktion
  • service
  • spybot
  • support
  • symant
  • t-online
  • time
  • variabel
  • verizon.
  • viren
  • virus
  • winrar
  • winzip

Symptoms

Symptoms -

Installation

Upon execution, the following fake error messages may be displayed.  For example:

The virus installs itself to the %SYSDIR% directory of the victim machine, using one of various possible filenames (constructed from a string pool carried within the worm). For example:

  • %SYSDIR%\diagwinhost.exe
     

It also adds the following registry key to run itself at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run\disc32data "spool32" = %SYSDIR%\diagwinhost.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \RunOnce "diagdir" = %SYSDIR%\diagwinhost.exe %1

The filenames and Registry keys used are random and are made up from the following list of strings:

  • sys
  • host
  • dir
  • explorer
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

The worm also drops the following files into the %SYSDIR%:

  • Humgly.lkur (0 bytes at testing)
  • temp32x.data (46,244 bytes, Base-64 encoded copy of the worm)
  • wintmpx33.dat (46,426 bytes, Base-64 encoded ZIP containing the worm)
  • yfjq.yqwm (0 bytes at testing)
  • zmndpgwf.kxx  (0 bytes at testing)

(where %SYSDIR% is C:\winnt\system32 or C:\windows\system32)

Method of Infection

Method of Infection -

  • Propagates through email. User would need to manually run the attachment in order to be infected

Removal -

Removal -

All Users
 Use the latest engine and DAT files for detection and removal.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Run a system scan using the specified engine/DATs.
  3. Delete files flagged as infected
  4. Restart machine in default mode.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. The filename used by the worm is constructed from strings as detailed above. For example:
      1. rundiscexplorer.exe
      2. rundircrypt.exe
      3. sys32dirdisc.exe
      4. etc etc
  3. Delete this file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
  4. Delete the following files from the same directory:
      1. Humgly.lkur
      2. temp32x.data
      3. wintmpx33.dat
      4. yfjq.yqwm
      5. zmndpgwf.kxx
      6. mslogs32.dll
  5. Edit the registry
    A similar string is constructed for using in the Registry modifications made to hook system startup.
    • Delete the following key:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\
        Windows\CurrentVersion\Run\(constructed string)
    • Delete the following value:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\RunOnce "constructed string"
  6. Reboot the system into Default Mode

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

McAfee Threatscan
ThreatScan signatures that can detect the W32/Sober.d@MM virus are available from:

ThreatScan Signature version: 2004-03-08

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

Run the "ThreatScan Template Report"
Look for module number #4070

Sniffer® Technologies
Since this is a mass mailing virus only and does not have any remote component; due to changing offset for subject mail from and the attachments for the emails mentioned in the virus, we cannot create a Sniffer filter for this virus.
Recommendation for customers:

1) Create a capture profile with Capture on only SMTP traffic.
2) Analyze the traffic for Subject, Mail To, and Attachments in the Decode mentioned in this description to identify if there is a virus propagating from specific IP's.

Variants

Variants -

    N/A