Content

W32/Sober.l@MM

Type
Virus
SubType
E-mail worm
Discovery Date
02/20/2005
Length
varies
Minimum DAT
4431 (02/21/2005)
Updated DAT
4633 (11/21/2005)
Minimum Engine
5.1.00
Description Added
02/20/2005
Description Modified
02/21/2005 5:24 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This new variant, which is written in VB bears the following characteristics:

  • contains its own SMTP engine
  • source/target email addresses are harvested from the victim machine
  • outgoing messages maybe in English or German
  • Mail Propagation
  • spoofs the "From" header of constructed messages

The worm is packed with UPX.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to these files in the %WinDir%\MSAGENT\WIN32\

  • C:\WINNT\MSAGENT\WIN32\DATAMX1.DAT
  • C:\WINNT\MSAGENT\WIN32\DATAMX2.DAT
  • C:\WINNT\MSAGENT\WIN32\DATAMX3.DAT
  • C:\WINNT\MSAGENT\WIN32\GOTO1.DAT
  • C:\WINNT\MSAGENT\WIN32\GOTO2.DAT
  • C:\WINNT\MSAGENT\WIN32\GOTO3.DAT

It drops copies of the MIME encoded ZIP attachments, that it tries to attach to its mails, using this filenames:

  • C:\WINNT\MSAGENT\WIN32\ZIPEDSO1.BER
  • C:\WINNT\MSAGENT\WIN32\ZIPEDSO2.BER
  • C:\WINNT\MSAGENT\WIN32\ZIPEDSO3.BÉR

The worm will construct messages using German or English text, depending upon the recipient email address. For recipient addresses containing any of the following, German text is used:

  • .de
  • .at
  • .ch

The Mailbody can have different formats, here are some examples listed:


Attachment:  

  • INDICTMENT_CIT9912.ZIP or
  • TEXT.ZIP
  • REGISTER_TEXT.ZIP
  • PATCH_HELP-TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

  • DOC_DATA-TEXT.TXT (many spaces) .PIF


For example:

Email addresses are harvested from files with the following extensions on the victim's machines:

abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; xml;

The worm avoids sending out mails to addresses containing the following strings:

  • .dial.
  • .kundenserver.
  • .ppp.
  • @arin
  • @avp
  • @ca.
  • @example.
  • @foo.
  • @from.
  • @gmetref
  • @iana
  • @ikarus.
  • @kaspers
  • @messagelab
  • @nai.
  • @panda
  • @smtp.
  • @sophos
  • @www
  • abuse
  • announce
  • antivir
  • anyone
  • anywhere
  • bellcore.
  • bitdefender
  • clock
  • -dav
  • detection
  • domain.
  • emsisoft
  • ewido.
  • freeav
  • free-av
  • ftp.
  • gold-certs
  • google
  • host.
  • icrosoft.
  • info@
  • ipt.aol
  • law2.
  • linux
  • mailer-daemon
  • me@
  • mozilla
  • mustermann@
  • nlpmail01.
  • noreply
  • nothing
  • ntp-
  • ntp.
  • ntp@
  • office
  • password
  • postmas
  • qmail@
  • reciver@
  • secure
  • service
  • smtp-
  • somebody
  • someone
  • spybot
  • sql.
  • subscribe
  • sul.t-
  • support
  • t-dialin
  • test@
  • time
  • t-ipconnect
  • user@
  • variabel
  • verizon.
  • viren
  • virus
  • whatever@
  • whoever@
  • winrar
  • winzip
  • you@
  • yourname

Symptoms

Installation

Upon execution, a message is displayed using Notepad on the victim machine:

The worm carries a pool of strings which it uses to construct the filename and Registry keys it uses for installing itself on the victim machine:

  • sys
  • host
  • dir
  • expoler
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

The constructed filename always has an EXE extension. The worm installs itself into the Windows system directory using this constructed filename, for example:

  • C:\WINNT\MSAGENT\WIN32\SMSS.EXE.EXE

The following files are also dropped into %WinDir%\MSAGENT\WIN32:

  • CSRSS.EXE (51688bytes - copy of the worm)
  • DATAMX1.DAT (contains harvested EMail addresses)
  • DATAMX2.DAT (contains harvested EMail addresses)
  • DATAMX3.DAT (contains harvested EMail addresses)
  • GOTO1.DAT (contains harvested EMail addresses)
  • GOTO2.DAT (contains harvested EMail addresses)
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
    •
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)

Additionally the following files are dropped to the SYSTEM32 folder:

  • NONRUNSO.BER (0bytes)
  • READ.ME (96bytes - harmless ACSII file)
  • STOPRUNS.ZHZ (0 bytes)

The worm adds two Registry keys to run the copy of itself at system startup. The name of the key is also constructed from the pool of strings the worm carries. For example:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

(where %WINDIR% is C:\Windows\ or C:\Winnt\)

Network Traffic

Symptoms indicating the worm's presence on a network include:

  • outgoing messages matching the characteristics described here
  • unexpected NTP traffic on port 37 TCP
  • unexpected attempts to log into several GMX accounts (POP3)
  • unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
    • microsoft.com
    • bigfoot.com
    • yahoo.com
    • t-online.de
    • google.com
    • hotmail.com

At the moment of this writing, there are no executeable files hosted on that URLs.

Method of Infection

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This new variant, which is written in VB bears the following characteristics:

  • contains its own SMTP engine
  • source/target email addresses are harvested from the victim machine
  • outgoing messages maybe in English or German
  • Mail Propagation
  • spoofs the "From" header of constructed messages

The worm is packed with UPX.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to these files in the %WinDir%\MSAGENT\WIN32\

  • C:\WINNT\MSAGENT\WIN32\DATAMX1.DAT
  • C:\WINNT\MSAGENT\WIN32\DATAMX2.DAT
  • C:\WINNT\MSAGENT\WIN32\DATAMX3.DAT
  • C:\WINNT\MSAGENT\WIN32\GOTO1.DAT
  • C:\WINNT\MSAGENT\WIN32\GOTO2.DAT
  • C:\WINNT\MSAGENT\WIN32\GOTO3.DAT

It drops copies of the MIME encoded ZIP attachments, that it tries to attach to its mails, using this filenames:

  • C:\WINNT\MSAGENT\WIN32\ZIPEDSO1.BER
  • C:\WINNT\MSAGENT\WIN32\ZIPEDSO2.BER
  • C:\WINNT\MSAGENT\WIN32\ZIPEDSO3.BÉR

The worm will construct messages using German or English text, depending upon the recipient email address. For recipient addresses containing any of the following, German text is used:

  • .de
  • .at
  • .ch

The Mailbody can have different formats, here are some examples listed:


Attachment:  

  • INDICTMENT_CIT9912.ZIP or
  • TEXT.ZIP
  • REGISTER_TEXT.ZIP
  • PATCH_HELP-TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

  • DOC_DATA-TEXT.TXT (many spaces) .PIF


For example:

Email addresses are harvested from files with the following extensions on the victim's machines:

abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; xml;

The worm avoids sending out mails to addresses containing the following strings:

  • .dial.
  • .kundenserver.
  • .ppp.
  • @arin
  • @avp
  • @ca.
  • @example.
  • @foo.
  • @from.
  • @gmetref
  • @iana
  • @ikarus.
  • @kaspers
  • @messagelab
  • @nai.
  • @panda
  • @smtp.
  • @sophos
  • @www
  • abuse
  • announce
  • antivir
  • anyone
  • anywhere
  • bellcore.
  • bitdefender
  • clock
  • -dav
  • detection
  • domain.
  • emsisoft
  • ewido.
  • freeav
  • free-av
  • ftp.
  • gold-certs
  • google
  • host.
  • icrosoft.
  • info@
  • ipt.aol
  • law2.
  • linux
  • mailer-daemon
  • me@
  • mozilla
  • mustermann@
  • nlpmail01.
  • noreply
  • nothing
  • ntp-
  • ntp.
  • ntp@
  • office
  • password
  • postmas
  • qmail@
  • reciver@
  • secure
  • service
  • smtp-
  • somebody
  • someone
  • spybot
  • sql.
  • subscribe
  • sul.t-
  • support
  • t-dialin
  • test@
  • time
  • t-ipconnect
  • user@
  • variabel
  • verizon.
  • viren
  • virus
  • whatever@
  • whoever@
  • winrar
  • winzip
  • you@
  • yourname

Symptoms

Symptoms -

Installation

Upon execution, a message is displayed using Notepad on the victim machine:

The worm carries a pool of strings which it uses to construct the filename and Registry keys it uses for installing itself on the victim machine:

  • sys
  • host
  • dir
  • expoler
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

The constructed filename always has an EXE extension. The worm installs itself into the Windows system directory using this constructed filename, for example:

  • C:\WINNT\MSAGENT\WIN32\SMSS.EXE.EXE

The following files are also dropped into %WinDir%\MSAGENT\WIN32:

  • CSRSS.EXE (51688bytes - copy of the worm)
  • DATAMX1.DAT (contains harvested EMail addresses)
  • DATAMX2.DAT (contains harvested EMail addresses)
  • DATAMX3.DAT (contains harvested EMail addresses)
  • GOTO1.DAT (contains harvested EMail addresses)
  • GOTO2.DAT (contains harvested EMail addresses)
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
    •
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)
  • GOTO3.DAT (contains harvested EMail addresses)
  • RUNNOWSO.BER (0byte file )
  • SMSS.EXE (51688bytes - copy of the worm)
  • WINLOGON.EXE (51688bytes - copy of the worm)
  • ZIPEDSO1.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO2.BER (71048byte MIME encoded copy of the ZIP)
  • ZIPEDSO3.BER (71048byte MIME encoded copy of the ZIP)

Additionally the following files are dropped to the SYSTEM32 folder:

  • NONRUNSO.BER (0bytes)
  • READ.ME (96bytes - harmless ACSII file)
  • STOPRUNS.ZHZ (0 bytes)

The worm adds two Registry keys to run the copy of itself at system startup. The name of the key is also constructed from the pool of strings the worm carries. For example:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "_winsystem.sys" = %WINDIR%\MSAGENT\WIN32\SMSS.EXE

    (where %WINDIR% is C:\Windows\ or C:\Winnt\)

(where %WINDIR% is C:\Windows\ or C:\Winnt\)

Network Traffic

Symptoms indicating the worm's presence on a network include:

  • outgoing messages matching the characteristics described here
  • unexpected NTP traffic on port 37 TCP
  • unexpected attempts to log into several GMX accounts (POP3)
  • unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
    • microsoft.com
    • bigfoot.com
    • yahoo.com
    • t-online.de
    • google.com
    • hotmail.com

At the moment of this writing, there are no executeable files hosted on that URLs.

Method of Infection

Method of Infection -

This worm is intended to spread by sending itself to email addresses found on the local system. Users must choose to run the attached files in order to become infected.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A