Content

W32/Sober.h

Type
Trojan
SubType
E-mail
Discovery Date
06/12/2004
Length
Varies
Minimum DAT
4367 (06/16/2004)
Updated DAT
4383 (08/04/2004)
Minimum Engine
5.1.00
Description Added
06/13/2004
Description Modified
06/23/2004 7:48 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update 14th June 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at:

http://computerworld.co.nz/news.nsf/0/D9346AA045E52DCFCC256EB2001EF883?OpenDocument

--

Proactive Detection
 This threat is detected proactively as W32/Sober.gen@MM using the 4349 DATs and 4.3.20 engines with compressed files scanning enabled (default).

This is W32/Sober variant does not replicate itself through emails. Instead, it sends spam emails with a spoofed "from:" field containing political messages. The trojan contains its own SMTP engine. These messages are all in German. The emails may contain any of the following subjects:

Subject:

  • Bankrott des Gesundheitswesens durch Auslaender!
  • Wer an ein Tabu ruehrt, muss und darf vernichtet werden
  • EU Beitritt der Tuerkei ?
  • Bin ich zu weltfremd? Ich glaube wohl kaum
  • Die Deform der sozialen Ordnung
  • Moschee-Bau in Deutschland
  • Augen auf! (So sieht es aus!)
  • Paradies Bundesrepublik - Rente fuer die Welt -
  • Libanesen in Berlin
  • Garather klagen ueber eskalierende Gewalt im Stadtteil!
  • Auslaender erschleichen sich zunehmend Sozialleistungen
  • Auslaenderkriminalitaet steigt weiter!
  • Das kann unmoeglich sein -Leserbrief-
  • Nein zum Zuwanderungsgesetz !
  • Skandalurteil in Darmstadt
  • Auf Kosten der deutschen Beitragszahler und Rentner!
  • Wir haben die Auslaender doch geholt?!
  • TUERKEN-TERROR AM HIMMELFAHRTSTAG
  • MULTI-KULTI-BANDE TYRANNISIERTE MITSCHUELER
  • ASYLANTEN BEGRABSCHTEN DEUTSCHES MAEDCHEN
  • Was Deutschland braucht, sind deutsche Kinder!
  • Diplomatische Zensur
  • EU gibt Erwerbslosen volle Freizuegigkeit
  • Richter unterstuetzt kriminelle Auslaenderin
  • Auslaenderanteile in Schweizer Gefaengnissen
  • Augen auf! (So sieht es aus!)
  • Neue Voelkerwanderung droht!

The body of the emails contains a link to a harmless webpage or comments made by the author. Some mails contain the footer:

  • Kommentar des Sober Autors:
    (Comments from the Sober author)

Email addresses harvested from the system is stored in the following two files found in the %WINDIR%\system directory:

  • llsapwin32.dats
  • mswn32sock.dats

Files with the following file extensions are scanned during the harvesting process (on all local drives and mapped network drives) :

abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; xml;

The trojan avoids sending emails to email addresses containing the following strings:

  • .dial.
  • .kundenserver.
  • .ppp.
  • .qmail@
  • .sul.t-
  • @arin
  • @avp
  • @ca.
  • @example.
  • @foo.
  • @from.
  • @gmetref
  • @iana
  • @ikarus.
  • @kaspers
  • @messagelab
  • @msn
  • @nai.
  • @panda
  • @smtp.
  • @sophos
  • @www
  • abuse
  • announce
  • antivir
  • anyone
  • anywhere
  • bellcore.
  • bitdefender
  • clock
  • detection
  • domain.
  • emsisoft
  • ewido.
  • freeav
  • free-av
  • ftp.
  • gold-certs
  • host.
  • icrosoft
  • ipt.aol
  • law2
  • mailer-daemon
  • mantec
  • me@
  • mozilla
  • msdn.
  • mustermann@
  • nlpmail01.
  • nothing
  • reciver@
  • secure
  • smtp-
  • somebody
  • someone
  • spybot
  • sql.
  • subscribe
  • t-dialin
  • time
  • t-ipconnect
  • user@
  • variabel
  • verizon.
  • viren
  • virus
  • whatever@
  • whoever@
  • winrar
  • winzip
  • you@
  • yourname

When run, the following 0 byte files are dropped into the %WINDIR%\systemdirectory:

  • bcegfds.lll
  • cvqaikxt.apk
  • Odin-Anon.Ger
  • zhcarxxi.vvx

The trojan also attempts to run itself at startup by hooking the following registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run  = %WINDIR%\SYSTEM\ .exe

The registry key and filenames used are random, they could be made up of the following strings:

  • sys
  • host
  • dir
  • expolrer
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

Symptoms

  • Existence of the above registry keys and filenames.
  • Existence of the file winhlpx32ll.exe
  • Resolves the following URLs by accessing a list of DNS servers
    • microsoft.com
    • bigfoot.com
    • yahoo.com
    • t-online.de
    • google.com
    • hotmail.com
  • The list of DNS servers are randomly generated and may consist of the following IP addresses:
    • 211.167.97.67
    • 217.116.224.253
    • 131.243.64.3
    • 217.116.224.253
    • 200.74.214.246
    • 200.74.214.246
    • 195.182.96.29
    • 195.182.96.29
    • 145.253.2.17
    • 217.237.150.33
    • 217.5.97.137
    • 82.195.234.2
    • 131.243.64.3
    • 212.7.128.162
    • 195.182.96.29


Method of Infection

Trojans need to be manually executed in order to be infected. Iin this case however, this variant may attempt to download and execute a file called winhlpx32ll.exe from the website:

  •  people.freenet.de

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Trojan.Ascetic.A (Symantec)

Characteristics

Characteristics -

-- Update 14th June 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at:

http://computerworld.co.nz/news.nsf/0/D9346AA045E52DCFCC256EB2001EF883?OpenDocument

--

Proactive Detection
 This threat is detected proactively as W32/Sober.gen@MM using the 4349 DATs and 4.3.20 engines with compressed files scanning enabled (default).

This is W32/Sober variant does not replicate itself through emails. Instead, it sends spam emails with a spoofed "from:" field containing political messages. The trojan contains its own SMTP engine. These messages are all in German. The emails may contain any of the following subjects:

Subject:

  • Bankrott des Gesundheitswesens durch Auslaender!
  • Wer an ein Tabu ruehrt, muss und darf vernichtet werden
  • EU Beitritt der Tuerkei ?
  • Bin ich zu weltfremd? Ich glaube wohl kaum
  • Die Deform der sozialen Ordnung
  • Moschee-Bau in Deutschland
  • Augen auf! (So sieht es aus!)
  • Paradies Bundesrepublik - Rente fuer die Welt -
  • Libanesen in Berlin
  • Garather klagen ueber eskalierende Gewalt im Stadtteil!
  • Auslaender erschleichen sich zunehmend Sozialleistungen
  • Auslaenderkriminalitaet steigt weiter!
  • Das kann unmoeglich sein -Leserbrief-
  • Nein zum Zuwanderungsgesetz !
  • Skandalurteil in Darmstadt
  • Auf Kosten der deutschen Beitragszahler und Rentner!
  • Wir haben die Auslaender doch geholt?!
  • TUERKEN-TERROR AM HIMMELFAHRTSTAG
  • MULTI-KULTI-BANDE TYRANNISIERTE MITSCHUELER
  • ASYLANTEN BEGRABSCHTEN DEUTSCHES MAEDCHEN
  • Was Deutschland braucht, sind deutsche Kinder!
  • Diplomatische Zensur
  • EU gibt Erwerbslosen volle Freizuegigkeit
  • Richter unterstuetzt kriminelle Auslaenderin
  • Auslaenderanteile in Schweizer Gefaengnissen
  • Augen auf! (So sieht es aus!)
  • Neue Voelkerwanderung droht!

The body of the emails contains a link to a harmless webpage or comments made by the author. Some mails contain the footer:

  • Kommentar des Sober Autors:
    (Comments from the Sober author)

Email addresses harvested from the system is stored in the following two files found in the %WINDIR%\system directory:

  • llsapwin32.dats
  • mswn32sock.dats

Files with the following file extensions are scanned during the harvesting process (on all local drives and mapped network drives) :

abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; xml;

The trojan avoids sending emails to email addresses containing the following strings:

  • .dial.
  • .kundenserver.
  • .ppp.
  • .qmail@
  • .sul.t-
  • @arin
  • @avp
  • @ca.
  • @example.
  • @foo.
  • @from.
  • @gmetref
  • @iana
  • @ikarus.
  • @kaspers
  • @messagelab
  • @msn
  • @nai.
  • @panda
  • @smtp.
  • @sophos
  • @www
  • abuse
  • announce
  • antivir
  • anyone
  • anywhere
  • bellcore.
  • bitdefender
  • clock
  • detection
  • domain.
  • emsisoft
  • ewido.
  • freeav
  • free-av
  • ftp.
  • gold-certs
  • host.
  • icrosoft
  • ipt.aol
  • law2
  • mailer-daemon
  • mantec
  • me@
  • mozilla
  • msdn.
  • mustermann@
  • nlpmail01.
  • nothing
  • reciver@
  • secure
  • smtp-
  • somebody
  • someone
  • spybot
  • sql.
  • subscribe
  • t-dialin
  • time
  • t-ipconnect
  • user@
  • variabel
  • verizon.
  • viren
  • virus
  • whatever@
  • whoever@
  • winrar
  • winzip
  • you@
  • yourname

When run, the following 0 byte files are dropped into the %WINDIR%\systemdirectory:

  • bcegfds.lll
  • cvqaikxt.apk
  • Odin-Anon.Ger
  • zhcarxxi.vvx

The trojan also attempts to run itself at startup by hooking the following registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run  = %WINDIR%\SYSTEM\ .exe

The registry key and filenames used are random, they could be made up of the following strings:

  • sys
  • host
  • dir
  • expolrer
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

Symptoms

Symptoms -

  • Existence of the above registry keys and filenames.
  • Existence of the file winhlpx32ll.exe
  • Resolves the following URLs by accessing a list of DNS servers
    • microsoft.com
    • bigfoot.com
    • yahoo.com
    • t-online.de
    • google.com
    • hotmail.com
  • The list of DNS servers are randomly generated and may consist of the following IP addresses:
    • 211.167.97.67
    • 217.116.224.253
    • 131.243.64.3
    • 217.116.224.253
    • 200.74.214.246
    • 200.74.214.246
    • 195.182.96.29
    • 195.182.96.29
    • 145.253.2.17
    • 217.237.150.33
    • 217.5.97.137
    • 82.195.234.2
    • 131.243.64.3
    • 212.7.128.162
    • 195.182.96.29


Method of Infection

Method of Infection -

Trojans need to be manually executed in order to be infected. Iin this case however, this variant may attempt to download and execute a file called winhlpx32ll.exe from the website:

  •  people.freenet.de

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A