Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Sober.N

Sober.N is a typical mass mailing E-mail worm, the size is 73541 bytes and the worm is runtime compressed by UPX, an executable runtime packer and patched to avoid unpacking.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Installation and Autostart Techniques

Upon execution, it creates a file in the temp folder, opens it with notepad and displays the text

UnPack failed

followed by random binary strings.

The worm then copies itself in the "%windir%\Config\system\" folder as "services.exe".

Two other files are created in the same folder: "zipped.wrm" contains a MIME encoded copy of the worm as a zip file and "maddys.xyz" contains email addresses collected from the infected system.

It also creates several files in the %system% folder:

adcmmmmq.hjg
langeinf.lin
nonrunso.ber
xcvfpokd.tqa

Note: This files are not malicious and therefore not detected as part of the worm.

The worm adds the following registry keys to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"SystemCheck" = "%WINDOWS%\Config\system\services.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"_SystemCheck" = "%WINDOWS%\Config\system\services.exe"


E-mail harvesting

The worm scans all fixed disks and collects E-mail addresses out of files which match one of the following file extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi
pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp
ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf
doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

E-mail Sender

The sender e-mail addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail subjects

E-mail subjects are chosen depending on the recipient's address

I've_got your EMail on my_account!

for German speaking domains:

FwD: Ich bin's nochmal

Message Body

The e-mail contains one of the following message texts:

Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you.

I have copied all the mail text in the windows text-editor for you &
zipped then.
Make sure, that this mails don't come in my mail-box again.

bye

or for German speaking domains:

Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.

Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren!

Ich melde mich.
Bis bald ;)
E-mail Attachments

The worm attaches to a German recipient's domain with a self-copy as:

Private-Texte.zip

or as:

your_text.zip

to all other domains.

Note: The ZIP attachment contains the executable worm mail.document.Datex-packed.exe

The worm avoids e-mail addresses which contain parts of the following list:

@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone
nothing you@ user@ reciver@ somebody secure whatever@ whoever@
anywhere yourname mustermann@ mailer-daemon variabel noreply -dav law2
.qmail@ freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection
ewido. emsisoft linux @foo. winzip @example. bellcore. @arin @iana @avp icrosoft.
@sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock

The worm tries to connect to the following time-servers:

ntp3.fau.de
timelord.ureqina.ca
time-server.ndo.com
ntp-sop.inria.fr
ntp.pads.ufrj.br
time-a.timefreq.bldrdoc.gov

Note: These strings are encrypted and stored in the worm.

Other Details

The worm also carries around an encrypted executable at the end of the worm host file and tries to terminate several cleaner tools. For instance Microsoft's Malicious Software Removal Tool.
Sober.N patches the TCPIP.SYS driver to extend the maximum available connections.

©1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission