Description
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
When the attachment is opened, and the contained executable is run, a fake error message is displayed:
Sober creates a directory named WinSecurity in the %WinDir% directory (typically c:\windows). Several files are created in this folder:
| csrss.exe |
A copy of the worm |
| mssock1.dli |
Email address information |
| mssock2.dli |
Email address information |
| mssock3.dli |
Email address information |
| services.exe |
A copy of the worm |
| smss.exe |
A copy of the worm |
| socket1.ifo |
MIME encoded archive containing the worm |
| socket2.ifo |
MIME encoded archive containing the worm |
| socket3.ifo |
MIME encoded archive containing the worm |
| starter.run |
Zero byte file |
| winmem1.ory |
Harvested email addresses |
| winmem2.ory |
Harvested email addresses |
| winmem3.ory |
Harvested email addresses |
Several files are created in the WINDOWS SYSTEM directory (typically c:\windows\system32) as well:
| bbvmwxxf.hml |
Zero byte file |
| filesms.fms |
Zero byte file |
| langeinf.lin |
Zero byte file |
| nonrunso.ber |
Zero byte file |
| rubezahl.rub |
Zero byte file |
| runstop.rst |
Zero byte file |
Two registry run keys are created to load the worm at startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "_Windows" = C:\WINDOWS\WinSecurity\services.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run " Windows" = C:\WINDOWS\WinSecurity\services.exe
The worm attempts to contact the following time servers:
- ntps1-1.uni-erlangen.de
- time.mit.edu
- tick.greyware.com
- tock.keso.fi
- ntp2c.mcc.ac.uk
- ntp1.theremailer.net
- time.chu.nrc.ca
- time-a.timefreq.bldrdoc.gov
- time.nrc.ca
- ntp.massayonet.com.br
- ntp2b.mcc.ac.uk
- ntp2.ien.it
- nist1.datum.com
- swisstime.ethz.ch
- clock.psu.edu
- time.ien.it
- ptbtime2.ptb.de
- Rolex.PeachNet.edu
- ntp.metas.ch
- ntp3.fau.de
- utcnist.colorado.edu
- sundial.columbia.edu
- vega.cbk.poznan.pl
- ntp0.cornell.edu
- ntp-sop.inria.fr
- rolex.usg.edu
- time.xmission.com
- st.ntp.carnet.hr
- ntp-1.ece.cmu.edu
- time.nist.gov
- ntp.lth.se
- cuckoo.nevada.edu
- ntp-2.ece.cmu.edu
- time.kfki.hu
- ntp.pads.ufrj.br
- time-ext.missouri.edu
- ntp1.arnes.si
- timelord.uregina.ca
- gandalf.theunixman.com
Starting on Friday, 6th January 2006, the worm stops spreading via EMail and tries to download and execute file from different URLs. The URLs are calculated based on the date and change every two weeks.
For the 6th of January 2006, it will try to connect to these URLs:
- people.freenet.de/mclvompycem/[omitted]
- scifi.pages.at/zzzvmkituktgr/[omitted]
- people.freenet.de/fseqepagqfphv/[omitted]
- people.freenet.de/wjpropqmlpohj/[omitted]
- home.arcor.de/jmqnqgijmng/[omitted]
- people.freenet.de/qisezhin/[omitted]
- home.arcor.de/ocllceclbhs/[omitted]
- home.arcor.de/srvziadzvzr/[omitted]
- home.pages.at/npgwtjgxwthx/[omitted]
- home.arcor.de/dixqshv/[omitted]
- home.arcor.de/nhirmvtg/[omitted]
- people.freenet.de/urfiqileuq/[omitted]
- people.freenet.de/smtmeihf/[omitted]
- free.pages.at/emcndvwoemn/[omitted]
- people.freenet.de/zmnjgmomgbdz/[omitted]
For the 20th of January 2006, it will try to connect to these URLs:
- people.freenet.de/idoolwnzwuvnmby [truncated]
- people.freenet.de/mhfas [truncated]
- people.freenet.de/nkpphimpf [truncated]
- people.freenet.de/ozumt [truncated]
- people.freenet.de/bnfyfnueoom [truncated]
- people.freenet.de/kbyquqbw [truncated]
- people.freenet.de/mlmmmlmhc [truncated]
- scifi.pages.at/ikzfpao [truncated]
- home.pages.at/ecljow [truncated]
- free.pages.at/wgqybixqy [truncated]
- home.arcor.de/ykfjxp [truncated]
- home.arcor.de/oodh [truncated]
- home.arcor.de/mtgv [truncated]
- home.arcor.de/tucrghif [truncated]
- home.arcor.de/ftpkwywvkdbu [truncated]
For the 4th of February 2006, it will try to connect to these URLs:
- people.freenet.de/xvpmtddp [truncated]
- people.freenet.de/ybuukppm [truncated]
- people.freenet.de/tqdpdrhw [truncated]
- people.freenet.de/sxjvch [truncated]
- people.freenet.de/ivevmrc [truncated]
- people.freenet.de/chcnrvn [truncated]
- home.arcor.de/dixq [truncated]
- scifi.pages.at/ootakk [truncated]
- home.pages.at/uqjsxtsacg [truncated]
- free.pages.at/hdovzt [truncated]
- home.arcor.de/yrgbkt [truncated]
- home.arcor.de/fleaveprfkbrv [truncated]
- home.arcor.de/grmnyg [truncated]
- home.arcor.de/jntwdtn [truncated]
- home.arcor.de/xvzwen [truncated]
For the 18th of February 2006, it will try to connect to these URLs:
- people.freenet.de/kvnxjghpb [truncated]
- people.freenet.de/kudkpqgs [truncated]
- people.freenet.de/ivdmxnd [truncated]
- people.freenet.de/wjfudqoed [truncated]
- people.freenet.de/drmegnt [truncated]
- people.freenet.de/vlxam [truncated]
- people.freenet.de/oeejkiil [truncated]
- scifi.pages.at/nikxioxckm [truncated]
- home.pages.at/dfdccnzn [truncated]
- free.pages.at/asoqqliez [truncated]
- home.arcor.de/lwmpcpoq [truncated]
- home.arcor.de/fzsybpt [truncated]
- home.arcor.de/vffe [truncated]
- home.arcor.de/cumhhsm [truncated]
- home.arcor.de/fhljs [truncated]
For the 2nd of March 2006, it will try to connect to these URLs:
- people.freenet.de/sxbbph [truncated]
- people.freenet.de/obkqlyle [truncated]
- people.freenet.de/ysqyydcqyxcq [truncated]
- people.freenet.de/vcbcci [truncated]
- people.freenet.de/ztoktkc [truncated]
- people.freenet.de/hkakkkufs [truncated]
- people.freenet.de/behkvl [truncated]
- scifi.pages.at/vaicwygd [truncated]
- home.pages.at/yjkoccqyjkx [truncated]
- free.pages.at/njjmmmgq [truncated]
- home.arcor.de/uswu [truncated]
- home.arcor.de/ehqhkk [truncated]
- home.arcor.de/jjlcxaqc [truncated]
- home.arcor.de/pbvbwekyb [truncated]
- home.arcor.de/oozaztutl [truncated]
For the 16th of March 2006, it will try to connect to these URLs:
- people.freenet.de/wewhissrvlf [truncated]
- people.freenet.de/cymo [truncated]
- people.freenet.de/ykfqgkcpdz [truncated]
- people.freenet.de/zvbgrir [truncated]
- people.freenet.de/iekzyggeekn [truncated]
- people.freenet.de/anbjhsob [truncated]
- people.freenet.de/mnjemtyav [truncated]
- scifi.pages.at/rsdou [truncated]
- home.pages.at/qcvcfufc [truncated]
- free.pages.at/tddffjn [truncated]
- home.arcor.de/pvuvxkee [truncated]
- home.arcor.de/hbxc [truncated]
- home.arcor.de/bnzkrbcrr [truncated]
- home.arcor.de/nlomw [truncated]
- home.arcor.de/inwlcrqrmdb [truncated]
For the 30th of March 2006, it will try to connect to these URLs:
- people.freenet.de/rslipmpm [truncated]
- people.freenet.de/wxlokexul [truncated]
- people.freenet.de/qoeccvmmv [truncated]
- people.freenet.de/reowen [truncated]
- people.freenet.de/tkhzdq [truncated]
- people.freenet.de/mnfduqzj [truncated]
- people.freenet.de/uuvnvf [truncated]
- scifi.pages.at/ewrencdwz [truncated]
- home.pages.at/mmzohagszca [truncated]
- free.pages.at/qlojqlc [truncated]
- home.arcor.de/ejwdzewdl [truncated]
- home.arcor.de/tktdxgghyx [truncated]
- home.arcor.de/dztwisrba [truncated]
- home.arcor.de/bivrvxrldbi [truncated]
- home.arcor.de/brbdhabr [truncated]
For the 14th of April 2006, it will try to connect to these URLs:
- people.freenet.de/ycizcyyybb [truncated]
- people.freenet.de/hdasdzfhk [truncated]
- people.freenet.de/itfljpk [truncated]
- people.freenet.de/gvnhwevn [truncated]
- people.freenet.de/xfwck [truncated]
- people.freenet.de/dwuynch [truncated]
- people.freenet.de/mgbkgqdm [truncated]
- scifi.pages.at/zyrsr [truncated]
- home.pages.at/oxlbcuv [truncated]
- free.pages.at/klwypl [truncated]
- home.arcor.de/iytccbmi [truncated]
- home.arcor.de/egfhtzsziti [truncated]
- home.arcor.de/eeezorceelfi [truncated]
- home.arcor.de/bypkirk [truncated]
- home.arcor.de/ottoqoc [truncated]
For the 28th of April 2006, it will try to connect to these URLs:
- people.freenet.de/bynlfgyq [truncated]
- people.freenet.de/qzfupmaj [truncated]
- people.freenet.de/uwegufxvwf [truncated]
- people.freenet.de/tgwza [truncated]
- people.freenet.de/lsjvvoenjvp [truncated]
- people.freenet.de/bbvb [truncated]
- people.freenet.de/sszwf [truncated]
- scifi.pages.at/hsxzxtiww [truncated]
- home.pages.at/ucobw [truncated]
- free.pages.at/qnhxfpnq [truncated]
- home.arcor.de/dnvem [truncated]
- home.arcor.de/agmzqaju [truncated]
- home.arcor.de/gnxsvga [truncated]
- home.arcor.de/fmnfbinnm [truncated]
- home.arcor.de/oufl [truncated]
For the 12th of May 2006, it will try to connect to these URLs:
- people.freenet.de/zoosla [truncated]
- people.freenet.de/mnfduq [truncated]
- people.freenet.de/venel [truncated]
- people.freenet.de/prlrkzh [truncated]
- people.freenet.de/jkygfnif [truncated]
- people.freenet.de/uifposxx [truncated]
- people.freenet.de/hjushfqn [truncated]
- scifi.pages.at/tiefgndvw [truncated]
- home.pages.at/jnjtcj [truncated]
- free.pages.at/duhdkkbkvcu [truncated]
- home.arcor.de/mmeamt [truncated]
- home.arcor.de/tjhzfyke [truncated]
- home.arcor.de/ivrvxrld [truncated]
- home.arcor.de/ionsgivgvqonvu [truncated]
- home.arcor.de/agllj [truncated]
For the 26th of May 2006, it will try to connect to these URLs:
- people.freenet.de/nhhx [truncated]
- people.freenet.de/fpkqmhafws [truncated]
- people.freenet.de/pommrkp [truncated]
- people.freenet.de/ughyukk [truncated]
- people.freenet.de/uhplcyto [truncated]
- people.freenet.de/raeezeleqo [truncated]
- people.freenet.de/hsaaaitf [truncated]
- scifi.pages.at/vfefsgz [truncated]
- home.pages.at/psjqzzzto [truncated]
- free.pages.at/tjxggqemk [truncated]
- home.arcor.de/mqfsjosnp [truncated]
- home.arcor.de/zfakn [truncated]
- home.arcor.de/fwzzq [truncated]
- home.arcor.de/rtfx [truncated]
- home.arcor.de/vfecfimevs [truncated]
For the 10th of June 2006, it will try to connect to these URLs:
- people.freenet.de/ysyahqb [truncated]
- people.freenet.de/nwdmimqxao [truncated]
- people.freenet.de/piijnicl [truncated]
- people.freenet.de/gsgyupdnp [truncated]
- people.freenet.de/kypvbpunffm [truncated]
- people.freenet.de/wggugtet [truncated]
- people.freenet.de/ixltxg [truncated]
- scifi.pages.at/fvojoz [truncated]
- home.pages.at/npajsm [truncated]
- free.pages.at/zakgnag [truncated]
- home.arcor.de/eymdnfrv [truncated]
- home.arcor.de/nykvmwb [truncated]
- home.arcor.de/pvjupjw [truncated]
- home.arcor.de/fuqllxpnp [truncated]
- home.arcor.de/nlwwbw [truncated]
For the 24th of June 2006, it will try to connect to these URLs:
- people.freenet.de/sgihlksoe [truncated]
- people.freenet.de/eenvvux [truncated]
- people.freenet.de/igvbvb [truncated]
- people.freenet.de/qkpo [truncated]
- people.freenet.de/jgkpzi [truncated]
- people.freenet.de/ryobblxrxf [truncated]
- people.freenet.de/iuqv [truncated]
- scifi.pages.at/uuvnvf [truncated]
- home.pages.at/kmqqqprru [truncated]
- free.pages.at/gyoiwnhod [truncated]
- home.arcor.de/kwwhusfepsq [truncated]
- home.arcor.de/qhwhz [truncated]
- home.arcor.de/rhhosoh [truncated]
- home.arcor.de/qcxprkq [truncated]
- home.arcor.de/tpswinpw [truncated]
For the 8th of July 2006, it will try to connect to these URLs:
- people.freenet.de/txyjyjqq [truncated]
- people.freenet.de/fhcwscxyco [truncated]
- people.freenet.de/hzjofefe [truncated]
- people.freenet.de/vchfqv [truncated]
- people.freenet.de/uxyyfcbfb [truncated]
- people.freenet.de/bvvpczb [truncated]
- people.freenet.de/jqoguututl [truncated]
- scifi.pages.at/clddwc [truncated]
- home.pages.at/itit [truncated]
- free.pages.at/hhfijsswwee [truncated]
- home.arcor.de/hshqtj [truncated]
- home.arcor.de/gesgamd [truncated]
- home.arcor.de/txpp [truncated]
- home.arcor.de/ctjil [truncated]
- home.arcor.de/fxhydxuxi [truncated]
Methods of Infection
This virus spreads via email. It harvests email addresses from files found on the local system containing the following extensions:
- pmr
- phtm
- stm
- slk
- inbox
- imb
- csv
- bak
- imh
- xhtml
- imm
- imh
- cms
- nws
- vcf
- ctl
- dhtm
- cgi
- pp
- ppt
- msg
- jsp
- oft
- vbs
- uin
- ldb
- abc
- pst
- cfg
- mdw
- mbx
- mdx
- mda
- adp
- nab
- fdb
- vap
- dsp
- ade
- sln
- dsw
- mde
- frm
- bas
- adr
- cls
- ini
- ldif
- log
- mdb
- xml
- wsh
- tbb
- abx
- abd
- adb
- pl
- rtf
- mmf
- doc
- ods
- nch
- xls
- nsf
- txt
- wab
- eml
- hlp
- mht
- nfo
- php
- asp
- shtml
- dbx
The virus attempts to terminate processes containing the following strings:
- microsoftanti
- gcas
- gcip
- giantanti
- inetupd.
- nod32kui
- nod32.
- fxsbr
- avwin.
- guardgui.
- aswclnr
- stinger
- hijack
- sober
- brfix
- s_t_i_n
- s-t-i-n
Aliases
Sober.Y (F-Secure), W32.Sober.X@mm (Symantec), W32/Sober-Z (Sophos), W32/Sober.z@MM (F-prot), W32/Sober@MM!CME-681, WORM_SOBER.AG (Trend)