Content
W32/Sober.o@MM!M414
- Type
- Virus
- SubType
- Discovery Date
- 04/18/2005
- Length
- 73,541 bytes
- Minimum DAT
- 4472 (04/19/2005)
- Updated DAT
- 4984 (03/14/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 04/18/2005
- Description Modified
- 04/21/2005 1:42 PM (PT)
Tab Navigation
Characteristics
This mass-mailing worm arrives in an email messages that is designed to trick users into thinking that someone else is receiving their email. It arrives in a message as follows:
| Subject
: I've_got your EMail on my_account! Body: Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address. Attachment: your_text.zip (containing the file mail.document.Datex-packed.exe ) |
A message may be sent in German as well:
Subject:
FwD: Ich bin's nochmal Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren! Ich melde mich.
Attachment: Private-Texte.zip (containing the file mail.document.Datex-packed.exe ) |
Manually opening the archive and choosing to run the contained executable will infect the local system.
Symptoms
Registry Symptoms
When run, the virus copies itself to C:\WINDOWS\Config\system\services.exe
and creates two registry run keys to load itself at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "_SystemCheck" = C:\WINDOWS\Config\system\services.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run " SystemCheck" = C:\WINDOWS\Config\system\services.exe
Visual Symptoms
The worm creates a text file in the %temp%
directory, mail.document.Datex-packed.txt
, to display in NOTEPAD. However, this file can be too large for Notepad to display, therefore users may see an error message stating:
This file is too large for Notepad to open. Would you like to use Wordpad instead?
The text file contains gibberish:
UnPack failed
wsmitooicezlje{mlvcnsglridjaqfvcvyoauwptrxllxeqneumoiukiqr}
tuhxbkjatgxoo}ckgeziohzpomdys{c|tfubvbyrhe{qitunzgriae}cnzuaiwiz}
ywrugf}yljysbnlk|ruqfwtlrx}
etc
File Symptoms
Other files are also created:
- c:\WINDOWS\Config\system\maddys.xyz (contains a list of harvested email addresses)
- c:\WINDOWS\Config\system\zipped.wrm (MIME encoded ZIP archive containing the worm)
- c:\WINDOWS\system32\adcmmmmq.hjg
- c:\WINDOWS\system32\langeinf.lin
- c:\WINDOWS\system32\nonrunso.ber
- c:\WINDOWS\system32\xcvfpokd.tqa
Network Symptoms
The worm attempts to contact different TIME servers (TCP37):
- ntp3.fau.de
- timelord.ureqina.ca
- time-server.ndo.com
- ntp-sop.inria.fr
- ntp.pads.ufrj.br
- time-a.timefreq.bldrdoc.gov
During our analysis, we noticed the following dialog coming up. This wasn't observed each time the worm got executed, but occasionally happend on Windows 2000 and Windows XP a few minutes after execution:
Method of Infection
This worm spreads via email. It sends itself to email addresses that are harvested from files containing the following extensions:
- pmr
- phtm
- stm
- slk
- inbox
- imb
- csv
- bak
- imh
- xhtml
- imm
- imh
- cms
- nws
- vcf
- ctl
- dhtm
- cgi
- pp
- ppt
- msg
- jsp
- oft
- vbs
- uin
- ldb
- abc
- pst
- cfg
- mdw
- mbx
- mdx
- mda
- adp
- nab
- fdb
- vap
- dsp
- ade
- sln
- dsw
- mde
- frm
- bas
- adr
- cls
- ini
- ldif
- log
- mdb
- xml
- wsh
- tbb
- abx
- abd
- adb
- pl
- rtf
- mmf
- doc
- ods
- nch
- xls
- nsf
- txt
- wab
- eml
- hlp
- mht
- nfo
- php
- asp
- shtml
- dbx
While avoiding addresses containing the following strings:
- @www
- @from.
- smtp-
- @smtp.
- ftp.
- .dial.
- .ppp.
- anyone
- @gmetref
- sql.
- someone
- nothing
- you@
- user@
- reciver@
- somebody
- secure
- whatever@
- whoever@
- anywhere
- yourname
- mustermann@
- mailer-daemon
- variabel
- noreply
- -dav
- law2
- .qmail@
- freeav
- @ca.
- abuse
- winrar
- domain.
- host.
- viren
- bitdefender
- spybot
- detection
- ewido.
- emsisoft
- linux
- @foo.
- winzip
- @example.
- bellcore.
- @arin
- @iana
- @avp
- icrosoft.
- @sophos
- @panda
- @kaspers
- free-av
- antivir
- virus
- verizon.
- @ikarus.
- @nai.
- @messagelab
- nlpmail01.
- clock
Removal
All Users
Use the latest
engine and DAT files
for detection and removal.
Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:
- Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- Run a system scan using the specified engine/DATs.
- Delete files flagged as infected
- Restart machine in default mode.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- The filename used by the worm is SERVICES.EXE
- Delete this file from your Windows System directory (typically C:\Windows\Config\System or C:\Winnt\Config\System).
- Delete the following files from the same directory:
- zipped.wrm
- maddys.xyz
- Delete the following files from the %Sysdir% folder
- adcmmmmq.hjg
- langeinf.lin
- nonrunso.ber
- xcvfpokd.tqa
- Edit the registry
A similar string is constructed for using in the Registry modifications made to hook system startup.- Delete the following key:
- HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run\" SystemCheck"
- HKEY_LOCAL_MACHINE\Software\Microsoft\
- Delete the following value:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce " SystemCheck"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
- Delete the following key:
- Reboot the system into Default Mode
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- CME-414
- W32.Sober.N@mm (Symantec)
- W32/Sober-M (Sophos)
- W32/Sober.o@MM
- WORM_SOBER.N (Trend)
Characteristics
Characteristics -
This mass-mailing worm arrives in an email messages that is designed to trick users into thinking that someone else is receiving their email. It arrives in a message as follows:
| Subject
: I've_got your EMail on my_account! Body: Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address. Attachment: your_text.zip (containing the file mail.document.Datex-packed.exe ) |
A message may be sent in German as well:
Subject:
FwD: Ich bin's nochmal Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren! Ich melde mich.
Attachment: Private-Texte.zip (containing the file mail.document.Datex-packed.exe ) |
Manually opening the archive and choosing to run the contained executable will infect the local system.
Symptoms
Symptoms -
Registry Symptoms
When run, the virus copies itself to C:\WINDOWS\Config\system\services.exe
and creates two registry run keys to load itself at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "_SystemCheck" = C:\WINDOWS\Config\system\services.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run " SystemCheck" = C:\WINDOWS\Config\system\services.exe
Visual Symptoms
The worm creates a text file in the %temp%
directory, mail.document.Datex-packed.txt
, to display in NOTEPAD. However, this file can be too large for Notepad to display, therefore users may see an error message stating:
This file is too large for Notepad to open. Would you like to use Wordpad instead?
The text file contains gibberish:
UnPack failed
wsmitooicezlje{mlvcnsglridjaqfvcvyoauwptrxllxeqneumoiukiqr}
tuhxbkjatgxoo}ckgeziohzpomdys{c|tfubvbyrhe{qitunzgriae}cnzuaiwiz}
ywrugf}yljysbnlk|ruqfwtlrx}
etc
File Symptoms
Other files are also created:
- c:\WINDOWS\Config\system\maddys.xyz (contains a list of harvested email addresses)
- c:\WINDOWS\Config\system\zipped.wrm (MIME encoded ZIP archive containing the worm)
- c:\WINDOWS\system32\adcmmmmq.hjg
- c:\WINDOWS\system32\langeinf.lin
- c:\WINDOWS\system32\nonrunso.ber
- c:\WINDOWS\system32\xcvfpokd.tqa
Network Symptoms
The worm attempts to contact different TIME servers (TCP37):
- ntp3.fau.de
- timelord.ureqina.ca
- time-server.ndo.com
- ntp-sop.inria.fr
- ntp.pads.ufrj.br
- time-a.timefreq.bldrdoc.gov
During our analysis, we noticed the following dialog coming up. This wasn't observed each time the worm got executed, but occasionally happend on Windows 2000 and Windows XP a few minutes after execution:
Method of Infection
Method of Infection -
This worm spreads via email. It sends itself to email addresses that are harvested from files containing the following extensions:
- pmr
- phtm
- stm
- slk
- inbox
- imb
- csv
- bak
- imh
- xhtml
- imm
- imh
- cms
- nws
- vcf
- ctl
- dhtm
- cgi
- pp
- ppt
- msg
- jsp
- oft
- vbs
- uin
- ldb
- abc
- pst
- cfg
- mdw
- mbx
- mdx
- mda
- adp
- nab
- fdb
- vap
- dsp
- ade
- sln
- dsw
- mde
- frm
- bas
- adr
- cls
- ini
- ldif
- log
- mdb
- xml
- wsh
- tbb
- abx
- abd
- adb
- pl
- rtf
- mmf
- doc
- ods
- nch
- xls
- nsf
- txt
- wab
- eml
- hlp
- mht
- nfo
- php
- asp
- shtml
- dbx
While avoiding addresses containing the following strings:
- @www
- @from.
- smtp-
- @smtp.
- ftp.
- .dial.
- .ppp.
- anyone
- @gmetref
- sql.
- someone
- nothing
- you@
- user@
- reciver@
- somebody
- secure
- whatever@
- whoever@
- anywhere
- yourname
- mustermann@
- mailer-daemon
- variabel
- noreply
- -dav
- law2
- .qmail@
- freeav
- @ca.
- abuse
- winrar
- domain.
- host.
- viren
- bitdefender
- spybot
- detection
- ewido.
- emsisoft
- linux
- @foo.
- winzip
- @example.
- bellcore.
- @arin
- @iana
- @avp
- icrosoft.
- @sophos
- @panda
- @kaspers
- free-av
- antivir
- virus
- verizon.
- @ikarus.
- @nai.
- @messagelab
- nlpmail01.
- clock
Removal -
Removal -
All Users
Use the latest
engine and DAT files
for detection and removal.
Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:
- Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- Run a system scan using the specified engine/DATs.
- Delete files flagged as infected
- Restart machine in default mode.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- The filename used by the worm is SERVICES.EXE
- Delete this file from your Windows System directory (typically C:\Windows\Config\System or C:\Winnt\Config\System).
- Delete the following files from the same directory:
- zipped.wrm
- maddys.xyz
- Delete the following files from the %Sysdir% folder
- adcmmmmq.hjg
- langeinf.lin
- nonrunso.ber
- xcvfpokd.tqa
- Edit the registry
A similar string is constructed for using in the Registry modifications made to hook system startup.- Delete the following key:
- HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run\" SystemCheck"
- HKEY_LOCAL_MACHINE\Software\Microsoft\
- Delete the following value:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce " SystemCheck"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
- Delete the following key:
- Reboot the system into Default Mode
Variants
Variants -
N/A
