Virus Profile: W32/Sober.j@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 11/19/2004
Date Added: 11/19/2004
Origin: Unknown
Length: 56,808 bytes (UPX'ed)
46,056 bytes (UPX'ed)
Type: Virus
Subtype: Internet Worm
DAT Required: 4409
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Error message as mentioned above
  • SMTP network traffic
  • Network traffic on TCP port 37
  • Desktop firewalls alerting the user that a new application is trying to get access to the internet

Methods of Infection

A machine gets infected when the user double clicks on an infected attachment. The worm does not exploit any system vulnerabilities to execute the attachment without user-interaction.

Aliases

Sober.H@mm (Norman), Trojan.Win32.VB.qa (AVP), W32.Sober.I@mm (Symantec), Worm_Sober.I (Trend)
   

Virus Characteristics

-- Update February 3, 2005 --

The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
--

This is a new variant of this massmailer, compressed with UPX, which sends itself to harvested mail addresses found on an infected machine.

If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

When a user double clicks on a infected attachment, the worm will display a fake error message:

It copies itself twice to the system folder using a constructed filename. These files are both running in memory and accessing the other with exclusive read access.

The filenames of the processes are built by combining the following strings and always end with '.exe'

  • sys
  • host
  • dir
  • expoler
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

For example:

  • datadiscwin.exe
  • cryptservice.exe
  • runlog32.exe

It creates the following registry keys, so it get executed each time the machine get booted:

  • HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
    Data: C:\WINNT\System32\datadiscwin.exe
  • HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
    Data: C:\WINNT\System32\cryptservice.exe %srun%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
    Data: C:\WINNT\System32\cryptservice.exe %srun%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"
    Data: C:\WINNT\System32\datadiscwin.exe

Please note that the filenames and keys are not fixed, they are constructed as mentioned above.

Additionally, the worm creates the following files in the %windir%\system folder:

  • clonzips.ssc (78,090 bytes)
  • clsobern.isc (77,738 bytes)
  • cvqaikxt.apk (0 bytes)
  • dgssxy.yoi (0 bytes)
  • nonzipsr.noz (77,738 bytes)
  • Odin-Anon.Ger (0 bytes)
  • sb2run.dii (0 bytes)
  • sysmms32.lla (0 bytes)
  • winexerun.dal (1,779 bytes)
  • winmprot.dal (1,832 bytes)
  • winroot64.dal (672 bytes)
  • winsend32.dal (1,779 bytes)
  • zippedsr.piz (78,090 bytes)

Massmailing:

W32/Sober.j@MM queries DNS and NTP servers in the internet to check if the infected machine is connected to the internet.

It tries to connect to these machines on TCP37:

  • swisstime.ee.ethz.ch         
  • ntp2.ien.it                  
  • ntp0-rz.rrze.uni-erlangen.de 
  • FS1.ece.cmu.edu              
  • ntp2.ptb.de                  
  • ntp-sop.inria.fr             
  • lanczos.maths.tcd.ie         
  • time-a.timefreq.bldrdoc.gov  
  • india.colorado.edu           
  • gnomon.cc.columbia.edu       
  • metasweb01.admin.ch          
  • vega.cbk.poznan.pl           
  • time.nist.gov                
  • time.nrc.ca                  
  • ns1.usg.edu                  
  • otc2.psu.edu                 
  • nist1.symmetricom.com        
  • clock.xmission.com           
  • sue.cc.uregina.ca

For the DNS, it tries to connect to these machines on UDP53:

  • 141.40.10.35
  • 213.218.170.6
  • 217.237.151.33
  • 213.239.234.108
  • 200.74.214.246
  • 212.242.88.2
  • 151.201.0.39
  • 82.195.234.2
  • 195.112.195.34
  • 80.148.11.231
  • 131.243.64.3
  • 129.187.16.1
  • 141.40.10.35
  • 62.39.89.71
  • 145.253.2.171
  • 195.182.96.29
  • 203.162.0.11
  • 131.174.8.14
  • 207.217.120.43
  • 216.203.115.105
  • 209.235.107.14
  • 62.156.146.242
  • 210.66.241.1
  • 194.209.114.1
  • 209.253.113.2
  • 129.187.10.25
  • 208.48.34.135
  • 217.116.224.253
  • 61.95.134.168
  • 193.158.124.143
  • 212.71.97.156
  • 192.35.232.34
  • 217.237.150.225
  • 207.69.188.186
  • 166.60.12.11

It queries those servers for these domain names:

  • microsoft.com
  • bigfoot.com
  • yahoo.com
  • t-online.de
  • google.com
  • hotmail.com


When Sober.j can't connect to one of the DNS or NTP servers, it does start sending out emails. Please note that it does not use the DNS server as specified in the network configuration for this purpose - although, during mass-mailing, the SMTP engine uses the systems default DNS server.

The worm harvests email addresses, on the infected system, from files with any of the following file extensions:

  • pmr
  • stm
  • inbox
  • imb
  • csv
  • bak
  • ihm
  • xhtml
  • imm
  • imh
  • cms
  • nws
  • vcf
  • ctl
  • dhtm
  • cgi
  • pp
  • ppt
  • msg
  • jsp
  • oft
  • vbs
  • uin
  • ldb
  • abc
  • pst
  • cfg
  • mdw
  • mbx
  • mdx
  • mda
  • adp
  • nab
  • fdb
  • vap
  • dsp
  • ade
  • sln
  • dsw
  • mde
  • frm
  • bas
  • adr
  • cls
  • ini
  • ldif
  • log
  • mdb
  • xml
  • wsh
  • tbb
  • abx
  • abd
  • adb
  • pl
  • rtf
  • mmf
  • doc
  • ods
  • nch
  • xls
  • nsf
  • txt
  • wab
  • eml
  • hlp
  • mht
  • nfo
  • php
  • asp
  • shtml
  • dbx

The worm does not send itself to addresses which contain any of the following strings:

  • ntp-
  • ntp@
  • office
  • @www
  • @from
  • support
  • redaktion
  • smtp-
  • @smtp.
  • gold-certs
  • ftp.
  • .dial.
  • .ppp.
  • anyone
  • subscribe
  • announce
  • @gmetref
  • sql.
  • someone
  • nothing
  • you@
  • user@
  • reciver@
  • somebody
  • secure
  • msdn.
  • me@
  • whatever@
  • whoever@
  • anywhere
  • yourname
  • mustermann
  • .kundenserver.
  • mailer-daemon
  • variable
  • password
  • noreply
  • -dav
  • law2
  • .sul.t-
  • .qmail@
  • t-ipconnect
  • t-dialin
  • ipt.aol
  • time
  • postmas
  • service
  • freeav
  • @ca.
  • abuse
  • winrar
  • domain.
  • host.
  • viren
  • bitdefender
  • spybot
  • detection
  • ewido.
  • emisoft
  • linux
  • google
  • @foo.
  • winzip
  • @example.
  • bellcore.
  • @arin
  • mozilla
  • @iana
  • @avp
  • @msn
  • icrosoft
  • @spiegel.
  • @sophos
  • @panda
  • @kaspers
  • free-av
  • antivir
  • virus
  • verizon
  • @ikarus
  • @nai.
  • @messagelab
  • nlpmail01.
  • clock
  • sender
  • youremail
  • home.com
  • hotmail.
  • t-online
  • hostmaster
  • webmaster
  • info

Mailbody:

The email body of messages sent by the worm contains various error messages, for example:

At the bottom of this example, the last three lines starting with '*-*-*' are constructed by the worm, based on the domain name of the targeted email address.
Depending on the recipient's domain, these lines will vary.


Attachments:

The worm attaches a copy of itself using a constructed filename. The file extension is randomly choosen and can be either

  • .bat
  • .com
  • .pif
  • .scr
  • .zip

In case of .ZIP, the worm sends an archive which includes one file named Message_text.txt  (several spaces)  .pif

    Examples for attachment names chosen by the worm:

    • mail.4052.scr
    • verisign.2095.pif
    • re_mail8831.bat
    • thats_hard.eml.bat
    • mycrosift.word.com
    • oh_nono_1771.scr
    • im_shocked.5578.DOC.com
    • voyager.EML.com
       
    All Users
    Use specified     engine and DAT files for detection and removal of a system that is not actively infected (where the virus is not loaded in memory).  Given the nature of this threat, the 4.4.00 scan engine is required to detect and repair this threat on an actively infected system.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Stinger
         Stinger has been updated to detect and remove this threat.

    Manual removal
         The worm processes can be terminated manually using the Task Manager.

    In the first step, the two running processes of the worm needs to found, and terminated. As mentioned above however, the worm uses various filenames, constructed from the following strings:

    • sys
    • host
    • dir
    • expoler
    • win
    • run
    • log
    • 32
    • disc
    • crypt
    • data
    • diag
    • spool
    • service
    • smss32

    Three of these strings are used to construct filenames, for example:

    • datadiscwin.exe
    • cryptservice.exe
    • runlog32.exe

    The strings are also used to construct the key name which is used in the Registry key that is added to hook system startup, for example:

    • HKLM\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
    • HKCU\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
    • HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
    • HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"

    Locate these keys and identify the 2 filenames that the worm uses on the victim machine.

    Open the TaskManager, switch to the 'Processes' tab and look for the two processes with these filesnames and press the 'End Process' button.

    After both processes are terminated, delete the Registry keys mentioned above.

    IntruShield
         An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
     
     https://mysupport.nai.com/
    Knowledgebase Article KB38001
     
    Please note: The above knowledgebase article is password protected and requires your to log into Service Portal before accessing it.