SecurityHome.eu Email-Worm:W32/Sober

Home / malware PDF

Email-Worm:W32/Sober

First posted on 19 May 2010.
Source: SecurityHome
Aliases :
There are no other names known for Email-Worm:W32/Sober.
Explanation :
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.

Additional DetailsEmail-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe.

The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.

Installation

It will modify the Windows' registry under:

€ [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
or € [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to point to where the executable copies of the worm are dropped.

Some of the possible locations are:

€ %SysDir%\similare.exe € %SysDir%\sysrunll.exe

Propagation (E-mail)

Sober will spoof different mail clients, using the headers:

€ X-Mailer: Microsoft Outlook Express 6.00.2600.0000 € X-Mailer: Microsoft Outlook Express 5.00.3018.1300 € X-Mailer: Safety_Mail Server € X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) € X-Mailer: Microsoft Outlook IMO, Build 9.0.
It will send e-mails with the following subjects:

In German:

€ Neuer Virus im Umlauf! € Back At The Funny Farm € Sie versenden Spam Mails (Virus?) € Ein Wurm ist auf Ihrem Computer! € Langsam reicht es mir € Sie haben mir einen Wurm geschickt! € Hi Schnuckel was machst du so ? € VORSICHT!!! Neuer Mail Wurm € Re: Kontakt € RE: Sex € Sorry, Ich habe Ihre Mail bekommen € Hi Olle, lange niks mehr geh € Re: lol € Viurs blockiert jeden PC (Vorsicht!) € berraschung € Ich habe Ihre E-Mail bekommen ! € Jetzt rate mal, wer ich bin !? € Neue Sobig Variante (Lesen!!) € Ich Liebe Dich
In English:

€ Congratulations!! Your Sobig Worms are very good!!! € You are a very good programmer! € Yours faithfully € Odin alias Anon € Odin_Worm.exe € New internet virus! € You send spam mails (Worm?) € A worm is on your computer! € You have sent me a virus! € Hi darling, what are you doing now? € Be careful! New mail worm € Re: Contact € Sorry, I've become your mail € Hey man, long not see you € Viurs blocked every PC (Take care!) € Surprise € I've become your mail! € Advise who I am! € New Sobig-Worm variation (please read) € I love you (I'm not a virus!) € I permanently get Spam-Mails from you and inside is a virus!! € You should remove these thing.
Attachment names are picked from the list:

€ AntiVirusDoc.pif € Check-Patch.bat € Screen_Doku.scr € Removal-Tool.exe € Perversionen.scr € CM-Recover.com € Bild.scr € schnitzel.exe € robot_mail.scr € RobotMailer.com € Privat.exe € AntiTrojan.exe € Mausi.scr € NackiDei.com € Anti-Sob.bat € security.pif € Funny.scr € Liebe.com € Odin_Worm.exe € check-patch.bat € anti_virusdoc.pif € perversion.scr € removal-tool.exe € screen_doc.scr € potency.pif € CM-Recover.com € pic.scr € playme.exe € robot_mailer.pif € private.exe € anti-trojan.exe € love.com € nacked.com € anti-Sob.bat € NAV.pif € funny.scr € little-scr.scr Variant:Sober.ADescription:Sober is an email worm, sending messages in English and German, sometimes posing as a fix from an Anti-Virus company.
Last update 19 May 2010

TOP

Malware :

Last 20