Home / malware

PDF

Win32.Sober.AD@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Sober.AD@mm.

Explanation :

The virus comes in form of an e-mail with variable subject, body or attachement name. It’s written in Visual Basic 6.

When the virus is launched, an error box appears on the screen, looking like this:





thus leading the victim to belive that the executable contained an error and everything it’s ok.



Then, the virus creates the folder WinSecurity in the %WINDIR% folder and drops the above files in it. It then executes the executable just dropped named

%WINDIR%WinSecurityservices.exe

Then executes

%WINDIR%WinSecuritysmss.exe

and finally

%WINDIR%WinSecuritycrss.exe

Each of these processes play a specific role :

crss.exe examines if the registry keyHKLMSOFTWAREMICROSOFTWINDOWSCURRENT VERSIONRUN Windows = C:WINNTWinSecurityservices.exe

has been deleted and rewrites it if this is the case

services.exe starts searching the victim’s folders for files containing e-mail addresses on wich to propagate.

Files with the following extension are scanned:

stm slk inbox imb csv bak imh x

html imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin

ldb abc pst cfg mdw mbx mdx mda

adp nab fdb vap dsp ade sln dsw

mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl

rtf mmf doc ods nch xls nsf txt

wab eml hlp mht nfo .OK

pmr phtm stm slk inbox imb csv

bak imh xhtml imm imh cms nws

vcf ctl dhtm cgi pp ppt msg jsp

oft vbs uin ldb abc pst cfg mdw

mbx mdx mda adp nab fdb vap dsp

ade sln dsw mde frm bas adr cls

ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch

xls nsf txt wab eml hlp mht nfo

php asp shtml db



It creates the registry key

HKLMSOFTWAREMICROSOFTWINDOWSCURRENT VERSIONRUN

Windows = C:WINNTWinSecurityservices.exe

in order to assure it will be run at every OS startup. If this key is deleted from the registry while the virus is running in memory, it will try to put it back, having a dedicated thread to do this job.


The virus tries to download a file from the Internet and run it:


http://home.pages.at/.../S??.exe



The worm implements it’s own SMTP engine for spreading via e-mail.




The possible mail subject includes one of the following :

Ihr Passwort Account Information SMTP Mail gescheitert Mailzustellung wurde unterbrochen Ermittl ungsverf ahren wurde eing eleitet. Sie besitzen Rau bkopien RTL: Werwird Millionaer Sehr ge ehrter EbayKunde I’m afraid I was not able to deliver your message SMTP Error Your Password Registration Confirmation smtp mail failed Mail delivery failed hi , ive a new mail address You visit illegal websites Your IP was logged Paris Hilton & Nicole Richie



The possible mail content includes one of the following :



“Ihre Nut zungsdat en wurden erfolg reich ge aendert. Details entnehm en Sie bitte dem Anhang” “This is an automatically generated Delivery Status Notification. SMTP Error [] I’m afraid I wasn’t able to deliver your message. This is a permanent error; I’ve given up. Sorry it didn’t work out. The full mail text and header is attached”. “das Herunterladen von Filmen, Software und MP3s. ist ille gal und somit strafbar” “Bei uns wurde ein neues Benutzerkonto mit dem Namen beantragt. Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt. Ihr Ebay-Team@Ebay.com Ebay Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen. Vielen Dank,”



The virus also spoofs the sender’s domain address, wich will appear to originate from one of the following domains

microsoft.com, bigfoot.com, yahoo.com, t-online.de, google.com, hotmail.com., mx1.mail.yahoo, mxbw.bluewin.ch etc.

The virus then searches list of active processes for process names from the list below :

microsoftanti gcas gcip giantanti inetupd. nod32kui nod32. fxsbr avwin. guardgui. aswclnr stinger hijack

and tries to kill them.

If any removal tool is running, in order to detect the presence of Sober, the worm will close it, and display the following message, like it would be a message from the removal tool:






For Win XP operating systems, the virus also tries to patch the tcpip.sys driver to allow it to open a virtually unlimited number of connections from the victim’s computer (since in Windows XP SP2 the number of simultaneously open connections from a host is restricted). This may result in asking the user to restart his computer in order for the patch to take effect.

Last update 21 November 2011

 

TOP