W32/Sober.l@MM

Content

W32/Sober.l@MM

Type: Virus
SubType: E-mail worm
Discovery Date: 02/20/2005
Length: varies
Minimum DAT: 4431 (02/21/2005)
Updated DAT: 4633 (11/21/2005)
Minimum Engine: 5.1.00
Description Added: 02/20/2005
Description Modified: 02/21/2005 5:24 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This new variant, which is written in VB bears the following characteristics:

contains its own SMTP engine
source/target email addresses are harvested from the victim machine
outgoing messages maybe in English or German
Mail Propagation
spoofs the "From" header of constructed messages

The worm is packed with UPX.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to these files in the %WinDir%\MSAGENT\WIN32\

C:\WINNT\MSAGENT\WIN32\DATAMX1.DAT
C:\WINNT\MSAGENT\WIN32\DATAMX2.DAT
C:\WINNT\MSAGENT\WIN32\DATAMX3.DAT
C:\WINNT\MSAGENT\WIN32\GOTO1.DAT
C:\WINNT\MSAGENT\WIN32\GOTO2.DAT
C:\WINNT\MSAGENT\WIN32\GOTO3.DAT

It drops copies of the MIME encoded ZIP attachments, that it tries to attach to its mails, using this filenames:

C:\WINNT\MSAGENT\WIN32\ZIPEDSO1.BER
C:\WINNT\MSAGENT\WIN32\ZIPEDSO2.BER
C:\WINNT\MSAGENT\WIN32\ZIPEDSO3.B�R

The worm will construct messages using German or English text, depending upon the recipient email address. For recipient addresses containing any of the following, German text is used:

The Mailbody can have different formats, here are some examples listed:

Attachment:

INDICTMENT_CIT9912.ZIP or
TEXT.ZIP
REGISTER_TEXT.ZIP
PATCH_HELP-TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

DOC_DATA-TEXT.TXT (many spaces) .PIF

For example:

Email addresses are harvested from files with the following extensions on the victim's machines:

abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; xml;

The worm avoids sending out mails to addresses containing the following strings:

.dial.
.kundenserver.
.ppp.
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
-dav
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google
host.
icrosoft.
info@
ipt.aol
law2.
linux
mailer-daemon
me@
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
office
password
postmas
qmail@
reciver@
secure
service
smtp-
somebody
someone
spybot
sql.
subscribe
sul.t-
support
t-dialin
test@
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname

Symptoms

Installation

Upon execution, a message is displayed using Notepad on the victim machine:

The worm carries a pool of strings which it uses to construct the filename and Registry keys it uses for installing itself on the victim machine:

sys
host
dir
expoler
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

The constructed filename always has an EXE extension. The worm installs itself into the Windows system directory using this constructed filename, for example:

C:\WINNT\MSAGENT\WIN32\SMSS.EXE.EXE

The following files are also dropped into %WinDir%\MSAGENT\WIN32:

CSRSS.EXE (51688bytes - copy of the worm)
DATAMX1.DAT (contains harvested EMail addresses)
DATAMX2.DAT (contains harvested EMail addresses)
DATAMX3.DAT (contains harvested EMail addresses)
GOTO1.DAT (contains harvested EMail addresses)
GOTO2.DAT (contains harvested EMail addresses)
GOTO3.DAT (contains harvested EMail addresses)

RUNNOWSO.BER (0byte file )

SMSS.EXE (51688bytes - copy of the worm)

WINLOGON.EXE (51688bytes - copy of the worm)

ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)

ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)

ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)

GOTO3.DAT (contains harvested EMail addresses)
RUNNOWSO.BER (0byte file )
SMSS.EXE (51688bytes - copy of the worm)
WINLOGON.EXE (51688bytes - copy of the worm)
ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
GOTO3.DAT (contains harvested EMail addresses)
RUNNOWSO.BER (0byte file )
SMSS.EXE (51688bytes - copy of the worm)
WINLOGON.EXE (51688bytes - copy of the worm)
ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
GOTO3.DAT (contains harvested EMail addresses)
RUNNOWSO.BER (0byte file )
SMSS.EXE (51688bytes - copy of the worm)
WINLOGON.EXE (51688bytes - copy of the worm)
ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)

Additionally the following files are dropped to the SYSTEM32 folder:

NONRUNSO.BER (0bytes)
READ.ME (96bytes - harmless ACSII file)
STOPRUNS.ZHZ (0 bytes)

The worm adds two Registry keys to run the copy of itself at system startup. The name of the key is also constructed from the pool of strings the worm carries. For example:

HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)

(where %WINDIR% is C:\Windows\ or C:\Winnt\)

Network Traffic

Symptoms indicating the worm's presence on a network include:

outgoing messages matching the characteristics described here
unexpected NTP traffic on port 37 TCP
unexpected attempts to log into several GMX accounts (POP3)
unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
- microsoft.com
- bigfoot.com
- yahoo.com
- t-online.de
- google.com
- hotmail.com

At the moment of this writing, there are no executeable files hosted on that URLs.

Method of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This new variant, which is written in VB bears the following characteristics:

contains its own SMTP engine
source/target email addresses are harvested from the victim machine
outgoing messages maybe in English or German
Mail Propagation
spoofs the "From" header of constructed messages

The worm is packed with UPX.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to these files in the %WinDir%\MSAGENT\WIN32\

C:\WINNT\MSAGENT\WIN32\DATAMX1.DAT
C:\WINNT\MSAGENT\WIN32\DATAMX2.DAT
C:\WINNT\MSAGENT\WIN32\DATAMX3.DAT
C:\WINNT\MSAGENT\WIN32\GOTO1.DAT
C:\WINNT\MSAGENT\WIN32\GOTO2.DAT
C:\WINNT\MSAGENT\WIN32\GOTO3.DAT

It drops copies of the MIME encoded ZIP attachments, that it tries to attach to its mails, using this filenames:

C:\WINNT\MSAGENT\WIN32\ZIPEDSO1.BER
C:\WINNT\MSAGENT\WIN32\ZIPEDSO2.BER
C:\WINNT\MSAGENT\WIN32\ZIPEDSO3.B�R

The worm will construct messages using German or English text, depending upon the recipient email address. For recipient addresses containing any of the following, German text is used:

The Mailbody can have different formats, here are some examples listed:

Attachment:

INDICTMENT_CIT9912.ZIP or
TEXT.ZIP
REGISTER_TEXT.ZIP
PATCH_HELP-TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

DOC_DATA-TEXT.TXT (many spaces) .PIF

For example:

The worm avoids sending out mails to addresses containing the following strings:

.dial.
.kundenserver.
.ppp.
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
-dav
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google
host.
icrosoft.
info@
ipt.aol
law2.
linux
mailer-daemon
me@
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
office
password
postmas
qmail@
reciver@
secure
service
smtp-
somebody
someone
spybot
sql.
subscribe
sul.t-
support
t-dialin
test@
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname

Symptoms

Symptoms -

Installation

Upon execution, a message is displayed using Notepad on the victim machine:

The worm carries a pool of strings which it uses to construct the filename and Registry keys it uses for installing itself on the victim machine:

sys
host
dir
expoler
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

The constructed filename always has an EXE extension. The worm installs itself into the Windows system directory using this constructed filename, for example:

C:\WINNT\MSAGENT\WIN32\SMSS.EXE.EXE

The following files are also dropped into %WinDir%\MSAGENT\WIN32:

CSRSS.EXE (51688bytes - copy of the worm)
DATAMX1.DAT (contains harvested EMail addresses)
DATAMX2.DAT (contains harvested EMail addresses)
DATAMX3.DAT (contains harvested EMail addresses)
GOTO1.DAT (contains harvested EMail addresses)
GOTO2.DAT (contains harvested EMail addresses)
GOTO3.DAT (contains harvested EMail addresses)

RUNNOWSO.BER (0byte file )

SMSS.EXE (51688bytes - copy of the worm)

WINLOGON.EXE (51688bytes - copy of the worm)

ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)

ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)

ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)

GOTO3.DAT (contains harvested EMail addresses)
RUNNOWSO.BER (0byte file )
SMSS.EXE (51688bytes - copy of the worm)
WINLOGON.EXE (51688bytes - copy of the worm)
ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
GOTO3.DAT (contains harvested EMail addresses)
RUNNOWSO.BER (0byte file )
SMSS.EXE (51688bytes - copy of the worm)
WINLOGON.EXE (51688bytes - copy of the worm)
ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
GOTO3.DAT (contains harvested EMail addresses)
RUNNOWSO.BER (0byte file )
SMSS.EXE (51688bytes - copy of the worm)
WINLOGON.EXE (51688bytes - copy of the worm)
ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)

Additionally the following files are dropped to the SYSTEM32 folder:

NONRUNSO.BER (0bytes)
READ.ME (96bytes - harmless ACSII file)
STOPRUNS.ZHZ (0 bytes)

The worm adds two Registry keys to run the copy of itself at system startup. The name of the key is also constructed from the pool of strings the worm carries. For example:

HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
(where %WINDIR% is C:\Windows\ or C:\Winnt\)

(where %WINDIR% is C:\Windows\ or C:\Winnt\)

Network Traffic

Symptoms indicating the worm's presence on a network include:

outgoing messages matching the characteristics described here
unexpected NTP traffic on port 37 TCP
unexpected attempts to log into several GMX accounts (POP3)
unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
- microsoft.com
- bigfoot.com
- yahoo.com
- t-online.de
- google.com
- hotmail.com

At the moment of this writing, there are no executeable files hosted on that URLs.

Method of Infection

Method of Infection -

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Global Sites

Need Help?

Threat Center

Segment Navigation

Section Navigation

Content

W32/Sober.l@MM

Risk Assessment

Tab Navigation

Overview

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer