Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sober.O

Sober.O is a typical mass mailing e-mail worm, the size is 53554 bytes and the worm is runtime compressed by UPX, an executable runtime packer and patched to avoid unpacking.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Installation and Autostart Techniques

Upon execution, it displays the text "Error: CRC not complete" in a messagebox titled "WinZip Self-Extractor".

The worm then copies itself in the "%windir%\Connection Wizard\Status\" folder as "services.exe", "smss.exe" and "csrss.exe".

The worm, running as "services.exe" then executes "smss.exe" and "csrss.exe" in it's own process. Sober.O uses exclusive file locking technologies to prevent an antivirus program from opening and scanning files once the worm runs active in memory.

Note: As all previous Sober Versions with exclusive lock, Sober.O changes excactly one byte in the file header of the exclusively loaded files. That said, once the worm does run, the 3 executables differ in the MD5 checksum.

Three other malicious files are created in the same folder:

"packed1.sbr",
"packed2.sbr" and
"packed3.sbr"

containing a Base64 encoded copy of the worm as a zip file, which are later 'renamed' and attached to outgoing e-mails.

After that, the worm creates the following files in the worm's folder to collect harvested e-mail addresses:

sacri1.ggg
sacri2.ggg
sacri3.ggg
voner1.von
voner2.von
voner3.von
and
fastso.ber
sysonce.tst

which are zero byte files.

It also creates several files in the %system% folder:

adcmmmmq.hjg
langeinf.lin
nonrunso.ber
seppelmx.smx
xcvfpokd.tqa

Note: These files are not malicious and therefore not detected as part of the worm.

The worm adds the following registry keys to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WinStart" = "%windir%\Connection Wizard\Status\services.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"_WinStart" = "%windir%\Connection Wizard\Status\services.exe"

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present anymore. This is done via Visual Basic Timer Interrupt polling.

Sober.O tries to delete all symantec liveupdate executable files if they exist:

%ProgramFiles%\Symantec\Liveupdate\a*.exe
%ProgramFiles%\Symantec\Liveupdate\luc*.exe
%ProgramFiles%\Symantec\Liveupdate\ls*.exe
%ProgramFiles%\Symantec\Liveupdate\luu*.exe

If it successfully deletes these files, and/or the Symantec Liveupdate path exists, then it places a self-copy of the worm's executable directly under

%Program Files%\Symantec\Liveupdate\luall.exe

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

E-mail Sender

The sender e-mail addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail subjects

E-mail subjects are chosen depending on the recipient's address

Re:Your Password
Re:Registration Confirmation
Re:Your email was blocked
Re:mailing error
Re: {empty}

for German speaking domains:

Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurde verweigert
Ich bin's, was zum lachen ;)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung

Message Body

The e-mail contains one of the following message texts:

ok ok ok,,,,, here is it

Account and Password Information are attached!
Visit: http:/ /www.{ followed by random domain }

This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached

Sober.O then appends one of the following tags randomly to the bottom of the message:

Attachment-Scanner: Status OK
AntiVirus: No Virus found
Server-AntiVirus: No Virus (Clean)
http:/ / www.{ followed by random domain }

or for German speaking domains:

Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http:/ /www.{ followed by random domain }
Folgende Fehler sind aufgetreten:
Fehler konnte nicht Explicit ermittelt werden
Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.
Wir bitten Sie, dieses zu beruecksichtigen.
Auto ReMailer#

Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
http:/ /www.[random domain]
*-* MailTo: PasswordHelp

Herzlichen Glueckwunsch,
beim Run auf die begehrten Tickets fuer die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie
dabei. Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

St. Rainer Gellhaus
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

Nun sieh dir das mal an
Was ein Ferkel ....

The worm then appends a randomly choosen Tagline to the message body:

Mail-Scanner: Es wurde kein Virus festgestellt
AntiVirus: Kein Virus gefunden
AntiVirus-System: Kein Virus erkannt
WebSite: http:/ /www.{ followed by random domain }

E-mail Attachments

The worm attaches itself to a German recipient's domain with a self-copy as:

LOL.zip
autoemail-text.zip
_PassWort-Info.zip
Fifa_Info-Text.zip
okTicket-info.zip
or as
our_secret.zip
mail_info.zip
error-mail_info.zip
account_info.zip
account_info-text.zip

to all other domains.

Note: The ZIP attachment contains the executable worm Winzipped-Text_Data.txt {spaces} .pif or Winzipped-Text_Data.txt {spaces} .exe

The worm avoids e-mail addresses which contain parts of the following list:

@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone
nothing you@ user@ reciver@ somebody secure whatever@ whoever@
anywhere yourname mustermann@ mailer-daemon variabel noreply -dav law2
.qmail@ freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection
ewido. emsisoft linux @foo. winzip @example. bellcore. @arin @iana @avp icrosoft.
@sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock

The worm tries to connect to the following servers:

microsoft.com
bigfoot.com
yahoo.com
t-online.de
google.com
hotmail.com

Other Details

The worm's zip files are 53728 bytes in size.
The worm contains functionality to download and to execute files via URLMON.DLL..
Sober.O terminates McAfee Stinger Cleaner.
The worm has a trigger on 28th of may.
Sober.O does also terminate the Microsoft removal tool.