Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sober.Y

Sober.Y is a typical mass mailing E-mail worm, the size is 55390 bytes and the worm is runtime compressed by UPX, an executable runtime packer, and then patched to avoid normal unpacking.

Installation and Autostart Techniques:

Upon execution, it displays the following faked error message box:

The worm then copies itself in the "%windir%\WinSecurity\" folder as "services.exe", "smss.exe" and "csrss.exe". It creates the folder "WinSecurity" when it doesn't exist.

Note: %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The worm, running as "services.exe" then locks "services.exe" in it's own process and starts two other worm instances, "smss.exe" and "csrss.exe", from this process.
Sober.Y uses exclusive file locking technologies to prevent an antivirus program from opening and scanning files once the worm runs active in memory. The result is that no file reading actions can be performed on the worm executable.

Important Note: As with all previous Sober Versions with exclusive lock, Sober.Y changes exactly one byte in the file header of the exclusively loaded files at position 0xA0. Once the worm does run, the three executables differ in the MD5 checksum. The worm uses this flag as an infection marker. If this byte is not 0x09 the worm will display the following faked Symantec live updater message box:

Three other files are created in the same folder: "socket1.ifo", "socket2.ifo", "socket3.ifo" containing a mime encoded email copy of the worm's zip file (75996 bytes in size).

Every process tries to attach its own copy to outgoing emails. For example, services.exe, process 1, will attach socket1.ifo, and csrss.exe, process 3, will attach socket3.ifo.

The files "mssock1.dli", "mssock2.dli", "mssock3.dli" and "winmem1.ory", "winmem2.ory", winmem3.ory" are used for collecting harvested email addresses.

Sober.Y also creates Starter.run and might create sysonce.tst and nichtnem.nop depending on the system.

Important Note: Sober.Y adds the numbers "1", "2", "3" depending on the running process instance to the filenames. Instance 1 is always the main instance of the worm (services.exe). The worm is able to perform several multitask operations, such as collecting different email styles and combining different email addresses found by previous sober process instances (for example, instance 3 can use collected data from instances 2 and 1).

Sober.Y also creates several files in the %system% folder:

nonrunso.ber
langeinf.lin
filesms.fms
runstop.rst
rubezahl.rub
bbvmwxxf.hml

These files are not malicious and therefore not detected as part of the worm. Sober uses this Zero-Byte files to overwrite previous sober version copies.

The worm adds the following registry keys to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"{Space}Windows" = "%WINDOWS%\WinSecurity\services.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"_Windows" = "%WINDOWS%\WinSecurity\services.exe"

The worm continuously watches for the presence of these registry keys and recreates them if they are no longer present. This is done via Visual Basic Timer Interrupt polling.

E-mail Harvesting:

Sober.Y scans all fixed disks and collects E-mail addresses from files which match one of the following file extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi
pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp
ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf
doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

E-mail Sender:

The sender's e-mail addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail Subjects:

E-mail subjects are chosen depending on the recipient's address

Your Password
Registration Confirmation
smtp mail failed
Mail delivery failed
hi, ive a new mail address
You visit illegal websites
Your IP was logged
Paris Hilton & Nicole Richie

for German speaking domains:

Ihr Passwort
Account Information
SMTP Mail gescheitert
Mailzustellung wurde unterbrochen
Ermittlungsverfahren wurde eingeleitet
Sie besitzen Raubkopien
RTL: Wer wird Millionaer
Sehr geehrter Ebay-Kunde

The worm makes this language selection based on the following domain suffixes:

de, ch, at, li or if the email destination is gmx.

Message Body:

The e-mail contains one of the following message texts:

Account and Password Information are attached!

This is an automatically generated Delivery Status Notification.
SMTP_Error
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached!

hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa

Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.lease answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison
Department Office Admin Mail Post
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!
Please use our Download manager.

or for German speaking domains:

Ihre Nutzungsdaten wurden erfolgreich geaendert. Details entnehmen Sie bitte dem Anhang.
*** {http://}www.{Sender Domain}
*** E-Mail: PassAdmin

 

Bei uns wurde ein neues Benutzerkonto mit dem Namen beantragt.
Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.
Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.
Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.

Vielen Dank,
Ihr Ebay-Team

 

Sehr geehrte Dame, sehr geehrter Herr,
das Herunterladen von Filmen, Software und MP3s ist illegal und somit strafbar.
Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unter der IP
erfasst wurde. Der Inhalt Ihres Rechner wurde als Beweismittel sichergestellt und es wird ein Ermittlungsverfahren gegen Sie eingleitet.
Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen in den naechsten Tagen schriftlich zugestellt.
Aktenzeichen NR.:#
(siehe Anhang)

Hochachtungsvoll
i.A. Juergen Stock
--- Bundeskriminalamt BKA
--- Referat LS 2
--- 65173 Wiesbaden
--- Tel.: +49 (0)611 - 55 - 12331 oder
--- Tel.: +49 (0)611 - 55 - 0

 

Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
Sie sitzen demnaechst bei Guenther Jauch im Studio!
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

+++ RTL interactive GmbH
+++ Geschaeftsfuehrung: Dr. Constantin Lange
+++ Am Coloneum 1
+++ 50829 Koeln
+++ Fon: +49(0) 221-780 0 oder
+++ Fon: +49 (0) 180 5 44 66 99

E-mail Attachments:

The worm attaches to a German recipient's domain with a self-copy as:

{TXT1}.zip
{TXT1}-TextInfo.zip
Email.zip
Email_text.zip
{TXT2}.zip
Akte{TXT2}.zip
{TXT3}.zip
{TXT3}_Text.zip
Ebay.zip
Ebay-User_RegC.zip

Note: {TXT1} represents one of the following text:

Service
Webmaster
Postman
Info
Hostmaster
Postmaster
Admin

Note: {TXT2} represents one of the following text:

Downloads
BKA
Internet
Post
Anzeige
BKA.Bund

Note: {TXT3} represents one of the following text:

Kandidat
WWM
Auslosung
Casting
Gewinn
Info
RTL-Admin
RTL
Webmaster
RTL-TV

or as:

reg_pass.zip
reg_pass-data.zip
mail.zip
mail_body.zip
mailtext.zip
list{random}.zip
question_list{random}.zip
downloadm.zip

to all other domains.

The worm avoids emails which contain one of the following strings:

-dav
.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
detection
domain.
emsisoft
ewido.
free-av
freeav
ftp.
gold-certs
google
host.
icrosoft.
ipt.aol
law2
linux
mailer-daemon
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
office
password
postmas
reciver@
secure
service
smtp-
somebody
someone
spybot
sql.
subscribe
support
t-dialin
t-ipconnect
test@
time
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname

if found, the worm will not add this email to the harvested email address collecting file.

Process Termination:

Sober.Y has encrypted part of its code, where it tries to terminate several security related programs, such as cleaner tools. For instance, if a user tries to run McAfee's cleaner tool "Stinger.Exe", the worm displays this faked message box:

Note: This also applies to Microsoft's Malicious Removal Tool "MRT.EXE"

Depending on the system setup, the worm might also try to delete Symantec live updater related executables and copies itself as the updater file, so that the worm is started every time that liveupdate is scheduled.

Date and Time Synchronizing:

Sober.Y tries to connect to the following servers in order to retrieve the correct date and time to avoid manipulated times on virtual test environment systems and to check for a present internet connection:

Rolex.PeachNet.edu
clock.psu.edu
cuckoo.nevada.edu
gandalf.theunixman.com
nist1.datum.com
ntp-1.ece.cmu.edu
ntp-2.ece.cmu.edu
ntp-sop.inria.fr
ntp.lth.se
ntp.massayonet.com.br
ntp.metas.ch
ntp.pads.ufrj.br
ntp0.cornell.edu
ntp1.arnes.si
ntp1.theremailer.net
ntp2.ien.it
ntp2b.mcc.ac.uk
ntp2c.mcc.ac.uk
ntp3.fau.de
ntps1-1.uni-erlangen.de
ptbtime2.ptb.de
rolex.usg.edu
st.ntp.carnet.hr
sundial.columbia.edu
swisstime.ethz.ch
tick.greyware.com
time-a.timefreq.bldrdoc.gov
time-ext.missouri.edu
time.chu.nrc.ca
time.ien.it
time.kfki.hu
time.mit.edu
time.nist.gov
time.nrc.ca
time.windows.com
time.xmission.com
timelord.uregina.ca
tock.keso.fi
utcnist.colorado.edu
vega.cbk.poznan.pl
time.windows.com

TCP/IP Patching:

Sober.Y also tries to patch the TCPIP.SYS driver of Windows NT based systems:

%System%\drivers\TCPIP.SYS
%System%\dllcache\TCPIP.SYS
%Windir%\ServicePackFiles\i386\TCPIP.SYS

Note: The worm is surprisingly able to patch different versions of the TCPIP.SYS file (build 2180, build 2505, build 2631 and build 2685) by modifying the CRC sum of the file and changing the number of allowed half-open connections. This patching will actually work only on Windows XP systems (Service Pack 2) and Windows 2003 Server Systems.

Background: This technology was introduced in Germany by lvllord, a german tools programmer ( http://www.lvllord.de ) in the year 2004, exactly the date when the first sober worms started using this technology.

History: Analysis and Write-up by: Michael St. Neitzel