Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sober.I

Win32/Sober.I is a worm spreading as an e-mail attachment. It is written in Visual Basic. Its body is compressed, its size is approximately 55 kB for the dropper file and 45kB for the actual worm.

Note: In what follows the %windir% string is used instead of the actual name of the Windows installation directory. The latter may differ on a case by case basis. The subdirectory System or System32 placed in %windir% has the name %system% .

The worm arrives in the form of a dropper. Upon execution the dropper creates two instances of the worm in the %system% folder, using a random filename created by joining some of the following strings:

sys, host, dir, expoler, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32

It creates two random subkeys under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run keys. There, the following values are set: %system%\<filename1>.exe and %system%\<filename2>.exe %srun% , where <filename1> and <filename2> are the names of the worm files in the %system% folder.

Win32/Sober.I harvests e-mail addresses for further spreading from files on the infected computer that have one of these extensions:

pmr stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

It avoids addresses containing one of the following strings:

ntp- ntp@ office @www @from. support redaktion smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure msdn. me@ whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel password noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol time postmas service freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux google @foo. winzip @example. bellcore. @arin mozilla @iana @avp @msn icrosoft. @spiegel. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock

The following files are created in the %system% folder:

winsend32.dal
winroot64.dal
cvqaikxt.apk
Odin-Anon.Ger
sysmms32.lla
dgssxy.yoi
zippedsr.piz
nonzipsr.noz
winexerun.dal
winmprot.dal
clonzips.ssc
clsobern.isc
sb2run.dii

They are used for storing harvested e-mail addresses and other information the worm uses for spreading.

E-mail messages sent by Win32/Sober.I can either be in English or in German language. German is chosen if the recipient's address contains "gmx." as a substring, or its domain part is ".de", ".ch", ".at" or ".li". English is used otherwise.

Subject of German messages is one of the following:

Info von
Mailzustellung fehlgeschlagen
Fehler in E-Mail
Ihre E-Mail wurde verweigert
Mailer Error
Ung?ltige Zeichen in Ihrer E-Mail
Mail- Verbindung wurde abgebrochen
Mailer-Fehler
Betr.- Ihr Account
Ihre neuen Account-Daten
Auftragsbest?tigung
Lieferungs-Bescheid

Win32/Sober.I can produce many different message bodies. This is an example:

Guten Tag,

da unsere Datenbanken leider durch einen Programm Fehler zerstört wurden, mussten wir leider eine Änderung bezüglich Ihrer Nutzungs- Daten vornehmen.

Ihre geänderten Account Daten, befinden Sie im beigefügten Dokument.

Vielen Dank für Ihr Verständnis.

------ <WIMMEROTH-ASSEKURANZ> GmbH & Co. KG
------ Send-To: Home-Service@wimmeroth-assekuranz.com
------ www.wimmeroth-assekuranz.de

In English e-mails, Subject is picked from these alternatives:

Details
Oh God it's
Registration confirmation
Confirmation
Your Password
Your mail password
Delivery_failure_notice
Faulty_mail delivery
Mail delivery_failed
Mail Error
illegal signs in your mail
invalid mail
Mail_Delivery_failure
mail delivery system

E-mail messages contain the dropper as an attachment. It's either an executable file, or a ZIP archive. The name is constructed from various strings and can have several extensions.

NOD32 detects the dropped worm file of Win32/Sober.I using advanced heuristics without upgrading. The detection of Win32/Sober.I using signature is added since version 1.927.

1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission