McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Sober.F (F-Secure)

• W32.Sober.F@mm (Symantec)

• WORM_SOBER.F (Trend)

Characteristics

-- Update April 13, 2004 --
The risk assessment of this threat has been lowered to Low-Profiled due to a decrease in prevalence.

This threat is a variant of W32/Sober.e@MM and exhibits some of the same behavior. 

The virus is received in an email message with the following characteristics:

Subject: (one of the following)

• Bad Gateway
• Best
• Confirmation Required
• Connection failed
• damn!
• Datenbank-Fehler
• Details
• Einzelheiten
• Faulty mail delivery
• Fehler
• Fehler in E-Mail
• Fehlerhafte Mailzustellung
• Hallo Du!
• Hallo!
• Hey
• Hey Du
• hey you
• Hi!
• Hi, Ich bin's
• Hi, it's me
• Ich bin es .-)
• Ihr neues Passwort
• Ihr Passwort
• Illegal signs in Mail-Routing
• Illegale Zeichen in Mail-Routing
• Info
• Information
• Invalid mail sentence length
• Mail delivery failed
• Mail Delivery failure
• mail delivery status
• Mail Error
• Mailzustellung fehlgeschlagen
• Message Error
• Na,
• Oh my God
• Registrierungs-Best
• Ung
• Verbindung fehlgeschlagen
• Verdammt
• Warning!
• Warnung!
• Well, surprise?!
• Your document
• Your mail account
• Your mail-account
• Your password

Body: (one of the following)

• Ich war auch ein wenig
  Wer konnte so etwas ahnen!? Lese selbst
  Oh-Mann
• Alles klaro bei dir?
  Schau mal was Ich gefunden habe!
  Meinst Du das wirklich?
  Dokument
  KurzText
• Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
  Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
  Bye
• AntiVirus-Text
  Anleitung
  Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passw
  Passwoerter.txt
  Details entnehmen Sie bitte dem Attachment
  Dokumente
  Text-Inhalt
• *** Auto Mail Delivery System ***
  Ihre E-Mail konnte nicht gesendet oder empfangen werden.
  Bitte
  attach:
  AMD-System.txt
  * End Transmission
  --- Web: http://www.(domain name)
  --- Mail To: User-Hilfe
• Passwort und Benutzername wurde erfolgreich ge
  Ihre Benutzernamen und Passw
  ++++ Im www erreichbar unter: http://www.(domain name)
  ++++ E-Mail: KundenInfo
• Benutzer-Daten
  Wegen eines Datenbank- Fehlers k
  Wenn Sie Unregelm
  Vielen Dank f
  +++ Ein Service von
  +++ http://www .(domain name)
  +++ E-Mail: Kundenservice
• Internet Provider Abuse:
  Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
  Bitte beachten Sie folgende Liste:
  Liste
  Schwarze-Liste
• ***
  Mail- Anhang: Keine verd
  Mail Scanner: Kein Virus gefunden
  Anti- Virus: Es wurde kein Virus erkannt
   Virenschutz
  *** http://www.(domain name)
• I was surprised, too! :-(
  Who could suspect something like that?
  shock
• All OK :)
  see, what i've found!
• hi its me
  i've found a shity virus on my pc. check your pc, too!
  follow the steps in this article.
  bye
• I 've told you!:-) sometime I grab your passwords!
  your_passwords
  I hope you accept the result!
• Follow the instructions to read the message.
  Please read the document
• Your password was changed successfully.
  Protected message is attached.
  ++++ Service: http://www.(domain name)
  ++++ Mail To: User-info
• 67.28.114.32_failed_after_I_sent_the_message./
  Remote_host_said:_554_delivery_error:_dd_
  Sorry_your_message_cannot_be_delivered._
  This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com
  ** End of Transmission
• The original message is a separate attachment.
  --- Mail To: UserHelp
  Error_Info
  _attach
  Read the attachment for details.
  Bad Gateway: The message has been attached.
  +++ A service of
  +++ Mail: home
• Database #Error
  -- Partial message is available!
  -- Error: llegal signs in Mail-Routing
  -- Mail Server: ESMTP VX32.9 Version Betha Alpha
• Mail- Attachment: No suspicious Virus signatures
  Mail Scanner: No Virus found
  Anti-Virus: No Virus!

The attachment is either a .PIF (30,720 bytes) or a .ZIP (30,866 bytes) file and contain one of these names (note the filename may be preceeded by random numbers and proceeded by _attach ).

• Administrator
• AMD-System.txt
• anitv_text
• AntiVirus-Text
• attach-message
• AutoMailer
• Benutzer-Daten
• block-lists
• check_this
• corrected_text-file
• database_partial
• database
• Datenbank_Auszug
• dokument
• Error_Info
• error
• error-message
• Fehler-Info
• help
• instructions
• kurztext
• message
• Money-Help
• partial
• pass-message
• pmessage-text 
• RobotMailer
• Schwarze-Liste
• textdocument
• Text-Inhalt
• User-info
• webmaster
• your_article
• your_passwords

The recipient email addresses are harvested from the local system. The worm searches for addresses within files having one of these file extensions:

• abc
• abd
• abx
• adb
• ade
• adp
• adr
• asp
• bas
• cfg
• cgi
• cls
• ctl
• dbx
• dhtm
• doc
• dsp
• dsw
• eml
• fdb
• frm
• hlp
• ini
• jsp
• ldb
• ldif
• log
• mbx
• mda
• mdb
• mde
• mdw
• mdx
• mht
• mmf
• msg
• nab
• nch
• nfo
• nsf
• ods
• oft
• php
• pl
• pp
• ppt
• pst
• rtf
• shtml
• sln
• tbb
• txt
• uin
• vap
• vbs
• wab
• wsh
• xls
• xml

The viruses does not send itself to addresses containing the following strings:

• mailer-daemon
• office
• redaktion
• support
• variabel
• password
• time
• postmas
• service
• freeav/
• @ca.
• abuse
• winrar
• domain.
• host.
• viren
• ewido.
• emsisoft
• linux
• google
• @foo.
• winzip
• @arin
• mozilla
• @iana
• @avp
• @msn
• microsoft.
• @sophos
• @panda
• symant
• ntp-
• ntp@
• @ntp.
• @kaspers
• free-av
• antivir
• virus
• verizon.
• @ikarus.
• @nai.
• @messagelab
• clock
• yahoo.com
• yahoo.de
• gmx.de
• gmx.net
• web.de
• freenet.de
• lycos.de

Symptoms

When the worm gets executed, it drops a few files into the %system32% folder:

The worm copies itself to the %system32% folder using a contructed filename out of these strings:

• 32
• crypt
• data
• diag
• dir
• disc
• explorer
• host
• log
• run
• service
• smss32
• spool
• sys
• win

Example: WINSYSSERVICE.EXE or DISKDIRRUN.EXE

It creates a registry keys in order to get executed on system boot:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run\[generated string] =  C:\WINNT\System32\[generated string].exe
  

Method of Infection

This worm spreads by sending itself to email addresses found on the local system. The worm does not use any exploits in order to execute the attachment automatically.  Users must choose to run the attached files in order to become infected.

Removal

All Users
Use the 4347 DAT files for detection and removal.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Run a system scan using the specified engine/DATs.
3. Delete files flagged as infected
4. Restart machine in default mode.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. The filename used by the worm is constructed from strings as detailed above. For example:
   • rundiscexplorer.exe
   • rundircrypt.exe
   • sys32dirdisc.exe
   • etc etc
3. Delete this randomly-named file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
4. Delete this randomly-named file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
5. Delete this randomly-named file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
6. Delete the following files from the same directory:
   1. spoofed_recips.ocx
   2. syst32win.dll
   3. winhex32xx.wrm
   4. winsys32xx.zzp
7. Edit the registry
   A similar string is constructed for using in the Registry modifications made to hook system startup.
   • Delete the following key:
     • HKEY_LOCAL_MACHINE\Software\Microsoft\
       Windows\CurrentVersion\Run\(constructed string)
   • Delete the following value:
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
       CurrentVersion\RunOnce "constructed string"
8. Reboot the system into Default Mode

Stinger
Stinger has been updated to assist in detecting and repairing this threat.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Sober.F (F-Secure)

• W32.Sober.F@mm (Symantec)

• WORM_SOBER.F (Trend)

Characteristics

Characteristics -

-- Update April 13, 2004 --
The risk assessment of this threat has been lowered to Low-Profiled due to a decrease in prevalence.

This threat is a variant of W32/Sober.e@MM and exhibits some of the same behavior. 

The virus is received in an email message with the following characteristics:

Subject: (one of the following)

• Bad Gateway
• Best
• Confirmation Required
• Connection failed
• damn!
• Datenbank-Fehler
• Details
• Einzelheiten
• Faulty mail delivery
• Fehler
• Fehler in E-Mail
• Fehlerhafte Mailzustellung
• Hallo Du!
• Hallo!
• Hey
• Hey Du
• hey you
• Hi!
• Hi, Ich bin's
• Hi, it's me
• Ich bin es .-)
• Ihr neues Passwort
• Ihr Passwort
• Illegal signs in Mail-Routing
• Illegale Zeichen in Mail-Routing
• Info
• Information
• Invalid mail sentence length
• Mail delivery failed
• Mail Delivery failure
• mail delivery status
• Mail Error
• Mailzustellung fehlgeschlagen
• Message Error
• Na,
• Oh my God
• Registrierungs-Best
• Ung
• Verbindung fehlgeschlagen
• Verdammt
• Warning!
• Warnung!
• Well, surprise?!
• Your document
• Your mail account
• Your mail-account
• Your password

Body: (one of the following)

• Ich war auch ein wenig
  Wer konnte so etwas ahnen!? Lese selbst
  Oh-Mann
• Alles klaro bei dir?
  Schau mal was Ich gefunden habe!
  Meinst Du das wirklich?
  Dokument
  KurzText
• Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
  Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
  Bye
• AntiVirus-Text
  Anleitung
  Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passw
  Passwoerter.txt
  Details entnehmen Sie bitte dem Attachment
  Dokumente
  Text-Inhalt
• *** Auto Mail Delivery System ***
  Ihre E-Mail konnte nicht gesendet oder empfangen werden.
  Bitte
  attach:
  AMD-System.txt
  * End Transmission
  --- Web: http://www.(domain name)
  --- Mail To: User-Hilfe
• Passwort und Benutzername wurde erfolgreich ge
  Ihre Benutzernamen und Passw
  ++++ Im www erreichbar unter: http://www.(domain name)
  ++++ E-Mail: KundenInfo
• Benutzer-Daten
  Wegen eines Datenbank- Fehlers k
  Wenn Sie Unregelm
  Vielen Dank f
  +++ Ein Service von
  +++ http://www .(domain name)
  +++ E-Mail: Kundenservice
• Internet Provider Abuse:
  Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
  Bitte beachten Sie folgende Liste:
  Liste
  Schwarze-Liste
• ***
  Mail- Anhang: Keine verd
  Mail Scanner: Kein Virus gefunden
  Anti- Virus: Es wurde kein Virus erkannt
   Virenschutz
  *** http://www.(domain name)
• I was surprised, too! :-(
  Who could suspect something like that?
  shock
• All OK :)
  see, what i've found!
• hi its me
  i've found a shity virus on my pc. check your pc, too!
  follow the steps in this article.
  bye
• I 've told you!:-) sometime I grab your passwords!
  your_passwords
  I hope you accept the result!
• Follow the instructions to read the message.
  Please read the document
• Your password was changed successfully.
  Protected message is attached.
  ++++ Service: http://www.(domain name)
  ++++ Mail To: User-info
• 67.28.114.32_failed_after_I_sent_the_message./
  Remote_host_said:_554_delivery_error:_dd_
  Sorry_your_message_cannot_be_delivered._
  This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com
  ** End of Transmission
• The original message is a separate attachment.
  --- Mail To: UserHelp
  Error_Info
  _attach
  Read the attachment for details.
  Bad Gateway: The message has been attached.
  +++ A service of
  +++ Mail: home
• Database #Error
  -- Partial message is available!
  -- Error: llegal signs in Mail-Routing
  -- Mail Server: ESMTP VX32.9 Version Betha Alpha
• Mail- Attachment: No suspicious Virus signatures
  Mail Scanner: No Virus found
  Anti-Virus: No Virus!

The attachment is either a .PIF (30,720 bytes) or a .ZIP (30,866 bytes) file and contain one of these names (note the filename may be preceeded by random numbers and proceeded by _attach ).

• Administrator
• AMD-System.txt
• anitv_text
• AntiVirus-Text
• attach-message
• AutoMailer
• Benutzer-Daten
• block-lists
• check_this
• corrected_text-file
• database_partial
• database
• Datenbank_Auszug
• dokument
• Error_Info
• error
• error-message
• Fehler-Info
• help
• instructions
• kurztext
• message
• Money-Help
• partial
• pass-message
• pmessage-text 
• RobotMailer
• Schwarze-Liste
• textdocument
• Text-Inhalt
• User-info
• webmaster
• your_article
• your_passwords

The recipient email addresses are harvested from the local system. The worm searches for addresses within files having one of these file extensions:

• abc
• abd
• abx
• adb
• ade
• adp
• adr
• asp
• bas
• cfg
• cgi
• cls
• ctl
• dbx
• dhtm
• doc
• dsp
• dsw
• eml
• fdb
• frm
• hlp
• ini
• jsp
• ldb
• ldif
• log
• mbx
• mda
• mdb
• mde
• mdw
• mdx
• mht
• mmf
• msg
• nab
• nch
• nfo
• nsf
• ods
• oft
• php
• pl
• pp
• ppt
• pst
• rtf
• shtml
• sln
• tbb
• txt
• uin
• vap
• vbs
• wab
• wsh
• xls
• xml

The viruses does not send itself to addresses containing the following strings:

• mailer-daemon
• office
• redaktion
• support
• variabel
• password
• time
• postmas
• service
• freeav/
• @ca.
• abuse
• winrar
• domain.
• host.
• viren
• ewido.
• emsisoft
• linux
• google
• @foo.
• winzip
• @arin
• mozilla
• @iana
• @avp
• @msn
• microsoft.
• @sophos
• @panda
• symant
• ntp-
• ntp@
• @ntp.
• @kaspers
• free-av
• antivir
• virus
• verizon.
• @ikarus.
• @nai.
• @messagelab
• clock
• yahoo.com
• yahoo.de
• gmx.de
• gmx.net
• web.de
• freenet.de
• lycos.de

Symptoms

Symptoms -

When the worm gets executed, it drops a few files into the %system32% folder:

The worm copies itself to the %system32% folder using a contructed filename out of these strings:

• 32
• crypt
• data
• diag
• dir
• disc
• explorer
• host
• log
• run
• service
• smss32
• spool
• sys
• win

Example: WINSYSSERVICE.EXE or DISKDIRRUN.EXE

It creates a registry keys in order to get executed on system boot:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run\[generated string] =  C:\WINNT\System32\[generated string].exe
  

Method of Infection

Method of Infection -

This worm spreads by sending itself to email addresses found on the local system. The worm does not use any exploits in order to execute the attachment automatically.  Users must choose to run the attached files in order to become infected.

Removal -

Removal -

All Users
Use the 4347 DAT files for detection and removal.

Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Run a system scan using the specified engine/DATs.
3. Delete files flagged as infected
4. Restart machine in default mode.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. The filename used by the worm is constructed from strings as detailed above. For example:
   • rundiscexplorer.exe
   • rundircrypt.exe
   • sys32dirdisc.exe
   • etc etc
3. Delete this randomly-named file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
4. Delete this randomly-named file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
5. Delete this randomly-named file from your Windows System directory (typically C:\Windows\System or C:\Winnt\System32).
6. Delete the following files from the same directory:
   1. spoofed_recips.ocx
   2. syst32win.dll
   3. winhex32xx.wrm
   4. winsys32xx.zzp
7. Edit the registry
   A similar string is constructed for using in the Registry modifications made to hook system startup.
   • Delete the following key:
     • HKEY_LOCAL_MACHINE\Software\Microsoft\
       Windows\CurrentVersion\Run\(constructed string)
   • Delete the following value:
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
       CurrentVersion\RunOnce "constructed string"
8. Reboot the system into Default Mode

Stinger
Stinger has been updated to assist in detecting and repairing this threat.

Variants

Variants -

N/A