Virus Profile: W32/Sober@MM!M681

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 11/22/2005
Date Added: 11/22/2005
Origin: Unknown
Length: 55,390 bytes (PE)
Type: Virus
Subtype: E-mail
DAT Required: 4629
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

When the attachment is opened, and the contained executable is run, a fake error message is displayed:

Error In Packed Header

Sober creates a directory named WinSecurity in the %WinDir% directory (typically c:\windows).  Several files are created in this folder:

 csrss.exe A copy of the worm
 mssock1.dli Email address information
 mssock2.dli Email address information
 mssock3.dli Email address information
 services.exe A copy of the worm
 smss.exe A copy of the worm
 socket1.ifo MIME encoded archive containing the worm
 socket2.ifo MIME encoded archive containing the worm
 socket3.ifo MIME encoded archive containing the worm
 starter.run Zero byte file 
 winmem1.ory Harvested email addresses
 winmem2.ory Harvested email addresses
 winmem3.ory Harvested email addresses

Several files are created in the WINDOWS SYSTEM directory (typically c:\windows\system32) as well:

 bbvmwxxf.hml Zero byte file
 filesms.fms Zero byte file
 langeinf.lin Zero byte file
 nonrunso.ber Zero byte file
 rubezahl.rub Zero byte file
 runstop.rst Zero byte file

Two registry run keys are created to load the worm at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "_Windows" = C:\WINDOWS\WinSecurity\services.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run " Windows" = C:\WINDOWS\WinSecurity\services.exe

The worm attempts to contact the following time servers:

  • ntps1-1.uni-erlangen.de
  • time.mit.edu
  • tick.greyware.com
  • tock.keso.fi
  • ntp2c.mcc.ac.uk
  • ntp1.theremailer.net
  • time.chu.nrc.ca
  • time-a.timefreq.bldrdoc.gov
  • time.nrc.ca
  • ntp.massayonet.com.br
  • ntp2b.mcc.ac.uk
  • ntp2.ien.it
  • nist1.datum.com
  • swisstime.ethz.ch
  • clock.psu.edu
  • time.ien.it
  • ptbtime2.ptb.de
  • Rolex.PeachNet.edu
  • ntp.metas.ch
  • ntp3.fau.de
  • utcnist.colorado.edu
  • sundial.columbia.edu
  • vega.cbk.poznan.pl
  • ntp0.cornell.edu
  • ntp-sop.inria.fr
  • rolex.usg.edu
  • time.xmission.com
  • st.ntp.carnet.hr
  • ntp-1.ece.cmu.edu
  • time.nist.gov
  • ntp.lth.se
  • cuckoo.nevada.edu
  • ntp-2.ece.cmu.edu
  • time.kfki.hu
  • ntp.pads.ufrj.br
  • time-ext.missouri.edu
  • ntp1.arnes.si
  • timelord.uregina.ca
  • gandalf.theunixman.com

Starting on Friday, 6th January 2006, the worm stops spreading via EMail and tries to download and execute file from different URLs. The URLs are calculated based on the date and change every two weeks.

For the 6th of January 2006, it will try to connect to these URLs:

  • people.freenet.de/mclvompycem/[omitted]
  • scifi.pages.at/zzzvmkituktgr/[omitted]
  • people.freenet.de/fseqepagqfphv/[omitted]
  • people.freenet.de/wjpropqmlpohj/[omitted]
  • home.arcor.de/jmqnqgijmng/[omitted]
  • people.freenet.de/qisezhin/[omitted]
  • home.arcor.de/ocllceclbhs/[omitted]
  • home.arcor.de/srvziadzvzr/[omitted]
  • home.pages.at/npgwtjgxwthx/[omitted]
  • home.arcor.de/dixqshv/[omitted]
  • home.arcor.de/nhirmvtg/[omitted]
  • people.freenet.de/urfiqileuq/[omitted]
  • people.freenet.de/smtmeihf/[omitted]
  • free.pages.at/emcndvwoemn/[omitted]
  • people.freenet.de/zmnjgmomgbdz/[omitted]

For the 20th of January 2006, it will try to connect to these URLs:

  • people.freenet.de/idoolwnzwuvnmby [truncated]
  • people.freenet.de/mhfas [truncated]
  • people.freenet.de/nkpphimpf [truncated]
  • people.freenet.de/ozumt [truncated]
  • people.freenet.de/bnfyfnueoom [truncated]
  • people.freenet.de/kbyquqbw [truncated]
  • people.freenet.de/mlmmmlmhc [truncated]
  • scifi.pages.at/ikzfpao [truncated]
  • home.pages.at/ecljow [truncated]
  • free.pages.at/wgqybixqy [truncated]
  • home.arcor.de/ykfjxp [truncated]
  • home.arcor.de/oodh [truncated]
  • home.arcor.de/mtgv [truncated]
  • home.arcor.de/tucrghif [truncated]
  • home.arcor.de/ftpkwywvkdbu [truncated]

For the 4th of February 2006, it will try to connect to these URLs:

  • people.freenet.de/xvpmtddp [truncated]
  • people.freenet.de/ybuukppm [truncated]
  • people.freenet.de/tqdpdrhw [truncated]
  • people.freenet.de/sxjvch [truncated]
  • people.freenet.de/ivevmrc [truncated]
  • people.freenet.de/chcnrvn [truncated]
  • home.arcor.de/dixq [truncated]
  • scifi.pages.at/ootakk [truncated]
  • home.pages.at/uqjsxtsacg [truncated]
  • free.pages.at/hdovzt [truncated]
  • home.arcor.de/yrgbkt [truncated]
  • home.arcor.de/fleaveprfkbrv [truncated]
  • home.arcor.de/grmnyg [truncated]
  • home.arcor.de/jntwdtn [truncated]
  • home.arcor.de/xvzwen [truncated]

For the 18th of February 2006, it will try to connect to these URLs:

  • people.freenet.de/kvnxjghpb [truncated]
  • people.freenet.de/kudkpqgs [truncated]
  • people.freenet.de/ivdmxnd [truncated]
  • people.freenet.de/wjfudqoed [truncated]
  • people.freenet.de/drmegnt [truncated]
  • people.freenet.de/vlxam [truncated]
  • people.freenet.de/oeejkiil [truncated]
  • scifi.pages.at/nikxioxckm [truncated]
  • home.pages.at/dfdccnzn [truncated]
  • free.pages.at/asoqqliez [truncated]
  • home.arcor.de/lwmpcpoq [truncated]
  • home.arcor.de/fzsybpt [truncated]
  • home.arcor.de/vffe [truncated]
  • home.arcor.de/cumhhsm [truncated]
  • home.arcor.de/fhljs [truncated]

For the 2nd of March 2006, it will try to connect to these URLs:

  • people.freenet.de/sxbbph [truncated]
  • people.freenet.de/obkqlyle [truncated]
  • people.freenet.de/ysqyydcqyxcq [truncated]
  • people.freenet.de/vcbcci [truncated]
  • people.freenet.de/ztoktkc [truncated]
  • people.freenet.de/hkakkkufs [truncated]
  • people.freenet.de/behkvl [truncated]
  • scifi.pages.at/vaicwygd [truncated]
  • home.pages.at/yjkoccqyjkx [truncated]
  • free.pages.at/njjmmmgq [truncated]
  • home.arcor.de/uswu [truncated]
  • home.arcor.de/ehqhkk [truncated]
  • home.arcor.de/jjlcxaqc [truncated]
  • home.arcor.de/pbvbwekyb [truncated]
  • home.arcor.de/oozaztutl [truncated]

For the 16th of March 2006, it will try to connect to these URLs:

  • people.freenet.de/wewhissrvlf [truncated]
  • people.freenet.de/cymo [truncated]
  • people.freenet.de/ykfqgkcpdz [truncated]
  • people.freenet.de/zvbgrir [truncated]
  • people.freenet.de/iekzyggeekn [truncated]
  • people.freenet.de/anbjhsob [truncated]
  • people.freenet.de/mnjemtyav [truncated]
  • scifi.pages.at/rsdou [truncated]
  • home.pages.at/qcvcfufc [truncated]
  • free.pages.at/tddffjn [truncated]
  • home.arcor.de/pvuvxkee [truncated]
  • home.arcor.de/hbxc [truncated]
  • home.arcor.de/bnzkrbcrr [truncated]
  • home.arcor.de/nlomw [truncated]
  • home.arcor.de/inwlcrqrmdb [truncated]

For the 30th of March 2006, it will try to connect to these URLs:

  • people.freenet.de/rslipmpm [truncated]
  • people.freenet.de/wxlokexul [truncated]
  • people.freenet.de/qoeccvmmv [truncated]
  • people.freenet.de/reowen [truncated]
  • people.freenet.de/tkhzdq [truncated]
  • people.freenet.de/mnfduqzj [truncated]
  • people.freenet.de/uuvnvf [truncated]
  • scifi.pages.at/ewrencdwz [truncated]
  • home.pages.at/mmzohagszca [truncated]
  • free.pages.at/qlojqlc [truncated]
  • home.arcor.de/ejwdzewdl [truncated]
  • home.arcor.de/tktdxgghyx [truncated]
  • home.arcor.de/dztwisrba [truncated]
  • home.arcor.de/bivrvxrldbi [truncated]
  • home.arcor.de/brbdhabr [truncated]

For the 14th of April 2006, it will try to connect to these URLs:

  • people.freenet.de/ycizcyyybb [truncated]
  • people.freenet.de/hdasdzfhk [truncated]
  • people.freenet.de/itfljpk [truncated]
  • people.freenet.de/gvnhwevn [truncated]
  • people.freenet.de/xfwck [truncated]
  • people.freenet.de/dwuynch [truncated]
  • people.freenet.de/mgbkgqdm [truncated]
  • scifi.pages.at/zyrsr [truncated]
  • home.pages.at/oxlbcuv [truncated]
  • free.pages.at/klwypl [truncated]
  • home.arcor.de/iytccbmi [truncated]
  • home.arcor.de/egfhtzsziti [truncated]
  • home.arcor.de/eeezorceelfi [truncated]
  • home.arcor.de/bypkirk [truncated]
  • home.arcor.de/ottoqoc [truncated]

For the 28th of April 2006, it will try to connect to these URLs:

  • people.freenet.de/bynlfgyq [truncated]
  • people.freenet.de/qzfupmaj [truncated]
  • people.freenet.de/uwegufxvwf [truncated]
  • people.freenet.de/tgwza [truncated]
  • people.freenet.de/lsjvvoenjvp [truncated]
  • people.freenet.de/bbvb [truncated]
  • people.freenet.de/sszwf [truncated]
  • scifi.pages.at/hsxzxtiww [truncated]
  • home.pages.at/ucobw [truncated]
  • free.pages.at/qnhxfpnq [truncated]
  • home.arcor.de/dnvem [truncated]
  • home.arcor.de/agmzqaju [truncated]
  • home.arcor.de/gnxsvga [truncated]
  • home.arcor.de/fmnfbinnm [truncated]
  • home.arcor.de/oufl [truncated]

For the 12th of May 2006, it will try to connect to these URLs:

  • people.freenet.de/zoosla [truncated]
  • people.freenet.de/mnfduq [truncated]
  • people.freenet.de/venel [truncated]
  • people.freenet.de/prlrkzh [truncated]
  • people.freenet.de/jkygfnif [truncated]
  • people.freenet.de/uifposxx [truncated]
  • people.freenet.de/hjushfqn [truncated]
  • scifi.pages.at/tiefgndvw [truncated]
  • home.pages.at/jnjtcj [truncated]
  • free.pages.at/duhdkkbkvcu [truncated]
  • home.arcor.de/mmeamt [truncated]
  • home.arcor.de/tjhzfyke [truncated]
  • home.arcor.de/ivrvxrld [truncated]
  • home.arcor.de/ionsgivgvqonvu [truncated]
  • home.arcor.de/agllj [truncated]

For the 26th of May 2006, it will try to connect to these URLs:

  • people.freenet.de/nhhx [truncated]
  • people.freenet.de/fpkqmhafws [truncated]
  • people.freenet.de/pommrkp [truncated]
  • people.freenet.de/ughyukk [truncated]
  • people.freenet.de/uhplcyto [truncated]
  • people.freenet.de/raeezeleqo [truncated]
  • people.freenet.de/hsaaaitf [truncated]
  • scifi.pages.at/vfefsgz [truncated]
  • home.pages.at/psjqzzzto [truncated]
  • free.pages.at/tjxggqemk [truncated]
  • home.arcor.de/mqfsjosnp [truncated]
  • home.arcor.de/zfakn [truncated]
  • home.arcor.de/fwzzq [truncated]
  • home.arcor.de/rtfx [truncated]
  • home.arcor.de/vfecfimevs [truncated]

For the 10th of June 2006, it will try to connect to these URLs:

  • people.freenet.de/ysyahqb [truncated]
  • people.freenet.de/nwdmimqxao [truncated]
  • people.freenet.de/piijnicl [truncated]
  • people.freenet.de/gsgyupdnp [truncated]
  • people.freenet.de/kypvbpunffm [truncated]
  • people.freenet.de/wggugtet [truncated]
  • people.freenet.de/ixltxg [truncated]
  • scifi.pages.at/fvojoz [truncated]
  • home.pages.at/npajsm [truncated]
  • free.pages.at/zakgnag [truncated]
  • home.arcor.de/eymdnfrv [truncated]
  • home.arcor.de/nykvmwb [truncated]
  • home.arcor.de/pvjupjw [truncated]
  • home.arcor.de/fuqllxpnp [truncated]
  • home.arcor.de/nlwwbw [truncated]

For the 24th of June 2006, it will try to connect to these URLs:

  • people.freenet.de/sgihlksoe [truncated]
  • people.freenet.de/eenvvux [truncated]
  • people.freenet.de/igvbvb [truncated]
  • people.freenet.de/qkpo [truncated]
  • people.freenet.de/jgkpzi [truncated]
  • people.freenet.de/ryobblxrxf [truncated]
  • people.freenet.de/iuqv [truncated]
  • scifi.pages.at/uuvnvf [truncated]
  • home.pages.at/kmqqqprru [truncated]
  • free.pages.at/gyoiwnhod [truncated]
  • home.arcor.de/kwwhusfepsq [truncated]
  • home.arcor.de/qhwhz [truncated]
  • home.arcor.de/rhhosoh [truncated]
  • home.arcor.de/qcxprkq [truncated]
  • home.arcor.de/tpswinpw [truncated]

For the 8th of July 2006, it will try to connect to these URLs:

  • people.freenet.de/txyjyjqq [truncated]
  • people.freenet.de/fhcwscxyco [truncated]
  • people.freenet.de/hzjofefe [truncated]
  • people.freenet.de/vchfqv [truncated]
  • people.freenet.de/uxyyfcbfb [truncated]
  • people.freenet.de/bvvpczb [truncated]
  • people.freenet.de/jqoguututl [truncated]
  • scifi.pages.at/clddwc [truncated]
  • home.pages.at/itit [truncated]
  • free.pages.at/hhfijsswwee [truncated]
  • home.arcor.de/hshqtj [truncated]
  • home.arcor.de/gesgamd [truncated]
  • home.arcor.de/txpp [truncated]
  • home.arcor.de/ctjil [truncated]
  • home.arcor.de/fxhydxuxi [truncated]

Methods of Infection

This virus spreads via email.  It harvests email addresses from files found on the local system containing the following extensions:

  • pmr
  • phtm
  • stm
  • slk
  • inbox
  • imb
  • csv
  • bak
  • imh
  • xhtml
  • imm
  • imh
  • cms
  • nws
  • vcf
  • ctl
  • dhtm
  • cgi
  • pp
  • ppt
  • msg
  • jsp
  • oft
  • vbs
  • uin
  • ldb
  • abc
  • pst
  • cfg
  • mdw
  • mbx
  • mdx
  • mda
  • adp
  • nab
  • fdb
  • vap
  • dsp
  • ade
  • sln
  • dsw
  • mde
  • frm
  • bas
  • adr
  • cls
  • ini
  • ldif
  • log
  • mdb
  • xml
  • wsh
  • tbb
  • abx
  • abd
  • adb
  • pl
  • rtf
  • mmf
  • doc
  • ods
  • nch
  • xls
  • nsf
  • txt
  • wab
  • eml
  • hlp
  • mht
  • nfo
  • php
  • asp
  • shtml
  • dbx

The virus attempts to terminate processes containing the following strings:

  • microsoftanti
  • gcas
  • gcip
  • giantanti
  • inetupd.
  • nod32kui
  • nod32.
  • fxsbr
  • avwin.
  • guardgui.
  • aswclnr
  • stinger
  • hijack
  • sober
  • brfix
  • s_t_i_n
  • s-t-i-n

Aliases

Sober.Y (F-Secure), W32.Sober.X@mm (Symantec), W32/Sober-Z (Sophos), W32/Sober.z@MM (F-prot), W32/Sober@MM!CME-681, WORM_SOBER.AG (Trend)
   

Virus Characteristics

-- Update January 9, 2006 --
Due to a decrease in prevalence, the risk assessment of this threat has been lowered to Low-Profiled.

The list of activation dates/download sites has been updated below.

-- Update November 22, 2005 --
The risk assessment of this threat has been upgraded to Medium due to the amount of spam emails being sent which include copies of this virus. Mcafee customers have been protected since the 4629 dat files released on November 16th , which detected this as W32/Sober.gen@MM.  If you, or your customers, are running at least these dat files, there will be no action required.  Specific named detection as W32/Sober@MM!M681 (to reflect the assigned CME ID number) will be added to the 4635 DATs.

If you think that you may be infected with W32/Sober@MM!M681, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This Sober variant was being seeded on Nov 21st. It arrives as an email attachment, along with various message subjects and bodies, such as:

Subject: hi, ive a new mail address
Body:
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!

plz read and check ...
cyaaaaaaa

Subject: Registration Confirmation
or
Subject: Your Password
Body: Account and Password Information are attached!

Subject: Paris Hilton & Nicole Richie
Body:
The Simple Life:

View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!

Please use our Download manager.

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

Subject: Registration_Confirmation
Body:
Protected message is attached!


***** Go to: http://www.your_domain
***** Email: postman@your_domain

Body:
Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
Sie sitzen demnaechst bei Guenther Jauch im Studio!
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

+++ RTL interactive GmbH
+++ Geschaeftsfuehrung: Dr. Constantin Lange
+++ Am Coloneum 1
+++ 50829 Koeln
+++ Fon: +49(0) 221-780 0 oder

Body:
Bei uns wurde ein neues Benutzerkonto mit dem Namen beantragt.
Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.

Body:
Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.
Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.
Vielen Dank

Attachment:

  • reg_pass-data.zip
  • reg_pass.zip
  • question_list.zip
  • mailtext.zip
  • mail_body.zip
  • mail.zip
  • list.zip
  • email_text.zip

The zip file contains the files file-packed_datainfo.exe [55,390 bytes].

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95