Home / malware

PDF

Win32.Sober.C@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Sober.C@mm.

Explanation :

As its predecessors, it's written in Visual Basic and it's packed with Upx.
It spreads via e-mail and uses it's own SMTP engine to send itself.

The worm practically composes the e-mail from fixed substrings,
resulting in a large number of possible e-mail formats:

Subjects:

German:
Betr: Klassentreffen
Testen Sie ihren IQ
Bankverbindungs- Daten
Neuer Dialer Patch!
Ermittlungsverfahren wurde eingeleitet
Ihre IP wurde geloggt
Sie sind ein Raubkopierer
Sie tauschen illegal Dateien aus
Ich hasse dich
Ich zeige sie an!
Sie Drohen mir!!
Anime, Pokemon, Manga, Handy ...
Anmeldebest
Neu! Legales Filesharing
Umfrage: Rente erst mit 80!
du wirst ausspioniert
Ein Trojaner ist auf Ihrem Rechner!
Du hast einen Trojaner drauf!
Hi, Ich bin's

English:
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Attention: To all gamers
Caution: To all gamers
registration confirmation


Body:
(can contain - examples):

Here, the DigiCam photos. A few are overexposed.
That you've killed this bastard.
That you have paid for me!
And that's your list, too!
A new worm spread via online gaming!
You must change your internet configuration!!
More than 75.000 freeware games!!!
You say in the www. that i'm a terrorist!!!
No way out for you. I REPORT YOU !
You've said THAT about me
I said, I love you..,, and you said NOTHING
Downloading of Movies, MP3s and Software is illegal and punishable by law.
Pokemon, YU-GI-OH, DragonballZ, BeyBlade, Ranma 1/2, and and and

Attachments:
www.iq4you-german-test.com
www.freewantiv.com
www.free4manga.com
www.free4share4you.com
www.tagespolitik-umfragen.com
www.freegames4you-gzone.com
www.boards4all-terror432.com
www.anime4allfree.com
www.animepage43252.com
downloader.exe
Also, the attachment name may be composed of

yourmail.
doc.
reward.
youtoo.
set_config.
idiot.
painfulness.
terror-list.
account.
credit card.
yourregistration.
letters.
computer.
mangaconection.
SysDial-patch.
DrohMails.
Klassenfoto.
sharedfree.
Zugangsdaten.
Abstimmen.
alledigis.

and an extension: bat pif exe com (example: youtoo.com)

When run, the worm will do:

- create copy of itself, syshostx.exe in %SYSTEM% folder
- also create 2 more randomly named copies of itself in %SYSTEM% folder
- create the registry hey described in Symptoms
- sometimes show fake message boxes.

The copies of the virus are for backup purposes. If one of them is killed/deleted, the worm will spawn to disk and run another copy.

The virus looks for email addresses in files with one of the following extensions:
htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo.

and stores them in file savesyss.dll in %SYSTEM% folder.

It also creates two more files in %SYSTEM% folder, humgly.lkur and yfjq.yqwm

Last update 21 November 2011

 

TOP