Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sober.D

Win32/Sober.D is a worm spreading in a form of an e-mail file attachment. It imitates a Microsoft security patch notice.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

Upon its first run on the infected computer is displays one of the following messages:

This patch does not need to be installed on this system.
This patch has been successfully installed. Status:OK

And it copies itself into the %system% directory using a random name created by combining some of the following strings:

sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

The worm changes the following registry keys to make sure it will be run upon each computer restart: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
It adds the following entry: %system%\<filename>.exe %1

In the key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run It creates a random entry with the following value: %system%\<filename>.exe. Where <filename>.exe is a file name the worm used when it copied itself into the %system% directory.
Names of Registry entries are created from the same strings as the file name of the worm in the %system% directory.

The worm creates the following two files that contain message bodies used for further spreading: temp32x.data , wintmpx33.dat

The message bodies are encoded using the base64 format.

The worm harvests e-mail addresses for its spreading from files found on the infected computer with the following extensions:

ini
log
mdb
tbb
abd
adb
pl
rtf
doc
xls
txt
wab
eml
php
asp
shtml
dbx
wab
tbb
abd
adb
pl

It stores the e-mail addresses in a file named %system%/mslogs32.dll

The worm avoids e-mail addresses containing one of the following strings:

@arin
@avp
@foo.
@iana
@ikarus.
@kaspers
@messagelab
@msn.
@nai.
@ntp.
@panda
@sophos
abuse
admin
antivir
bitdefender
clock
detection
domain.
emsisoft
ewido.
free-av
google
host.
hotmail
info@
linux
microsoft.
mozilla
ntp-
ntp@
office
password
postmas
redaktion
service
spybot
support
symant
t-online
time
variabel
verizon.
viren
virus
winrar
winzip

The worm's e-mail message characteristics:

The worm contains a message in both English and German language. Should the recipient domain be: .de , .at , .ch , .li or the e-mail address contains the string @gmx the worm uses the German message.

The first part of the senders e-mail address is randomly selected from one of the following strings:

Info
Center
UpDate
News
Help
Studio
Alert
Patch
Security

The second part of the sender's e-mail address is one of the following:

  • German version: @microsoft.de or @microsoft.at
  • English version: @microsoft.com

The English message version

Subject:

Microsoft Alert: Please Read!

Message Body:

New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.

+++ ©2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19

The German version:

Subject:

Microsoft Alarm: Bitte Lesen!

Message body:

Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorgänger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefährlichen Trojaner!

Führende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.

Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schädling zu schützen!
+++ ©2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

The message attachment contains the worm or a ZIP archive.
The attachment name is one of the following:

Patch
MS-Security
MS-UD
UpDate
sys-patch

And can be extended by random number.

NOD32 detects this worm using Advanced Heuristics without a need to update a virus database. The detection of Win32/Sober.D using sample is added since version 1.627.

1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.