Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sober.R

   
Aliases: W32/Sober.r@MM (McAfee), W32.Sober.Q@mm (Symantec), Email-Worm.Win32.Sober.s (Kaspersky)
Type: Worm
Systems Affected: 32-Bit Windows

Sober.R is a typical mass mailing E-mail worm. The worm is runtime compressed by UPX, an executable runtime packer, and patched to avoid unpacking.

Installation and Autostart Techniques

Upon execution, the following faked error message box is displayed:

The worm then copies itself in the "%windir%\ConnectionStatus\" folder as "services.exe". The worm creates the folder "ConnectionStatus" if it does not exist.

Note: %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The worm, running as "services.exe" then locks "services.exe" in its own process.
Sober.R uses exclusive file locking technologies to prevent an antivirus program from opening and scanning files once the worm runs active in memory. The result is that no file reading actions can be done on the worm executable.

Important Note: As all previous Sober Versions with exclusive lock, Sober.R changes exactly one byte in the file header of the exclusively loaded files at position 0xA0. Once the worm is run, the 2 executables have different MD5 checksums. Later, Sober.R stores temporary counters in its own executable, starting after offset 0x16400 in the file. This again leads to different checksums compared with the origin file before it was executed. Normally this data is related to the program icon. The change will result in the original JPG like icon being overwritten with a typical console mode icon. The worm uses this technology to prevent double installation on one system. Once this icon is replaced, the worm will not try to auto-install itself again to the system, but it will run due to a registry auto-start entry. This functionality type of "infection marker" is seen in file infector viruses to prevent multiply infections. This behavior is uncommon for worms, what leads to the conclusion that the worm author is probably a former virus writer as well.

Two other files are created in "%windir%\ConnectionStatus\": "netslot.nst" contains a BASE64 encoded email copy of the worm file and "socket.dli" contains email addresses collected from the infected system.

The following additional files are created and in the %system% folder:

bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
seppelmx.smx

These files are not malicious and therefore are not detected as part of the worm. Sober uses these zero byte files to overwrite previous sober version copies.

The worm adds the following keys to the registry to make sure that it is run every time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"{Space}WinINet" = "%WINDOWS%\ ConnectionStatus \services.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"_WinINet" = "%WINDOWS%\ ConnectionStatus \services.exe"

The worm continuously watches for the presence of these registry keys and recreates them if they are not present anymore. This is done via Visual Basic Timer Interrupt polling.

E-mail Harvesting:

The worm scans all fixed disks and collects E-mail addresses out of files with the following extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi
pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp
ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf
doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

E-mail Sender:

The sender e-mail addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail Subjects:

E-mail subject lines depend on the recipient's address

For most domains, the subject line is "Your new Password". For German speaking domains it is "Fwd: Klassentreffen".

The language selection is based on the following domain suffixes:

de, ch, at, li, and gmx.

Message Body:

The e-mail contains one of the following message texts:

Your password was successfully changed!
Please see the attached file for detailed information.

or for German speaking domains:

ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehängt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurück!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry für die belästigung ;)

liebe grüße:

followed by: Rita, Sandra, Nicole, Hannelore, Kerstin, Elke

E-mail Attachments:

The worm attaches a copy of itself to a German recipient's domain as KlassenFoto.zip, which contains "PW_Klass.Pic.packed-bitmap.exe". For all other domains the attachment is pword_change.zip and contains the file "pword_change.exe".

The worm might also generate e-mail addresses which contain parts of the following list:

Aero, com, coop, edu, gov, info, int, museum, name, net, org, pro

Process Termination:

Sober.R has encrypted part of code, where it tries to terminate several security related programs, such as cleaner tools. For instance if a user tries to run the McAfee cleaner tool "Stinger.Exe", the worm displays this faked messagebox:

This also applies to Microsoft's Malicious Removal Tool "MRT.EXE"

History: Analysis and Write-up by: Michael St. Neitzel