Content

W32/Sober.e@MM

Type
Virus
SubType
Internet Worm
Discovery Date
03/28/2004
Length
30,720 bytes .EXE
30,866 bytes .ZIP
Minimum DAT
4345 (03/29/2004)
Updated DAT
4633 (11/21/2005)
Minimum Engine
5.1.00
Description Added
03/28/2004
Description Modified
03/28/2004 12:07 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a detection for a new email worm, that sends itself to email addresses found on the local system by using its own SMTP engine.

The subject is randomly choosen from this list:

  • Hi
  • HEY
  • Hey!
  • hey?
  • hi
  • Hi :-)
  • OK :-)
  • OK OK
  • OK ok OK

The mailbody may contain words from this list:

  • ;-)
  • HA
  • ha!
  • lol
  • LoL
  • LOL
  • THX
  • Thx!
  • thx
  • yo!

The attachment is either a .PIF (30,720 bytes) or a .ZIP (30,866 bytes) file and starts with one of these names:

  • Document
  • Graphic-doc
  • Read
  • Text
  • Word

The receipent email addresses are harvested from the local system. The worm searches for addresses within files having one of these file extensions:

  • .abd
  • .abx
  • .adb
  • .asp
  • .dbx
  • .doc
  • .eml
  • .ini
  • .log
  • .mdb
  • .php
  • .pl
  • .rtf
  • .shtml
  • .tbb
  • .ttt
  • .txt
  • .wab
  • .xls

Symptoms

When the worm gets executed, it drops a few files into the %system32% folder:

Filename

Filesize

  Comments
BCEGFDS.DLL

0 byte

 
MSHELP32.DAT

42040 bytes

  MIME encoded copy of the worm
MSWORD.WRD

42240 bytes

  MIME encoded ZIP including the worm
WINRUN32.DLL

varies

  harvested email addresses
ZMNDPQWF.KXX

0 byte

 

The worm copies itself to the %system32% folder using a contructed filename out of these strings:

  • 32
  • crypt
  • data
  • diag
  • dir
  • disc
  • explorer
  • host
  • log
  • run
  • service
  • smss32
  • spool
  • sys
  • win

Example: WINSYSSERVICE.EXE or DISKDIRRUN.EXE

It creates two registry keys in order to get executed on system boot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\[generated string] =  C:\WINNT\System32\[generated string].exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunOnce\[generated string] = C:\WINNT\System32\[generated string].exe %1

Method of Infection

This worm spreads by sending itself to email addresses found on the local system. The worm does not use any exploits in order to execute the attachment automatically.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Sober.e
  • Sober.e
  • W32.Sober.E@mm

Characteristics

Characteristics -

This is a detection for a new email worm, that sends itself to email addresses found on the local system by using its own SMTP engine.

The subject is randomly choosen from this list:

  • Hi
  • HEY
  • Hey!
  • hey?
  • hi
  • Hi :-)
  • OK :-)
  • OK OK
  • OK ok OK

The mailbody may contain words from this list:

  • ;-)
  • HA
  • ha!
  • lol
  • LoL
  • LOL
  • THX
  • Thx!
  • thx
  • yo!

The attachment is either a .PIF (30,720 bytes) or a .ZIP (30,866 bytes) file and starts with one of these names:

  • Document
  • Graphic-doc
  • Read
  • Text
  • Word

The receipent email addresses are harvested from the local system. The worm searches for addresses within files having one of these file extensions:

  • .abd
  • .abx
  • .adb
  • .asp
  • .dbx
  • .doc
  • .eml
  • .ini
  • .log
  • .mdb
  • .php
  • .pl
  • .rtf
  • .shtml
  • .tbb
  • .ttt
  • .txt
  • .wab
  • .xls

Symptoms

Symptoms -

When the worm gets executed, it drops a few files into the %system32% folder:

Filename

Filesize

  Comments
BCEGFDS.DLL

0 byte

 
MSHELP32.DAT

42040 bytes

  MIME encoded copy of the worm
MSWORD.WRD

42240 bytes

  MIME encoded ZIP including the worm
WINRUN32.DLL

varies

  harvested email addresses
ZMNDPQWF.KXX

0 byte

 

The worm copies itself to the %system32% folder using a contructed filename out of these strings:

  • 32
  • crypt
  • data
  • diag
  • dir
  • disc
  • explorer
  • host
  • log
  • run
  • service
  • smss32
  • spool
  • sys
  • win

Example: WINSYSSERVICE.EXE or DISKDIRRUN.EXE

It creates two registry keys in order to get executed on system boot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\[generated string] =  C:\WINNT\System32\[generated string].exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunOnce\[generated string] = C:\WINNT\System32\[generated string].exe %1

Method of Infection

Method of Infection -

This worm spreads by sending itself to email addresses found on the local system. The worm does not use any exploits in order to execute the attachment automatically.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A