Home / malware

PDF

Win32.Sober.T@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Sober.T@mm.

Explanation :

This is a mass-mailing worm that poses as an image file. The icon is designed to mimic a JPEG file, giving the user the illusion of dealing with a harmless picture.

Since most users have Windows configured to hide file extensions, the file will appear as a JPEG icon with an innocuous caption:



The worm is written in Visual Basic 6.0 and is packed with FSG.

When the user double-clicks the file (which usually comes as an email attachment), the program displays a bogus error message and apparently terminates:



In the background, the worm creates the directory C:\Windows\ConnectionStatus and drops a working copy there, under the name "services.exe".

A Registry entry is created to make sure the worm is always loaded:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinINet = C:\Windows\ConnectionStatus\services.exe

(Note: on some configurations, the Windows directory will be C:\WINNT instead of C:\Windows.)

The virus checks if Microsoft's malicious software removal tool is running, and terminates it.

To locate email addresses for further spreading, it searches through files with the following extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

Using a built-in SMTP engine, it sends emails with the following subject and contents:

Your new Password
OR
Your password was successfully changed!
OR
Please see the attached file for detailed information.
OR
Fwd: Klassentreffen

ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehangt
wenn du dich dort wiedererkennst, dann schreibe unbedingt zur
wenn ich aber wieder mal die falsche person erwischt habe, dann sorry fur die belastigung

(Roughly: "please see attached file for classmate pictures".)

Last update 21 November 2011

 

TOP