Home / malware Email-Worm:W32/Sober.AA
First posted on 11 April 2007.
Source: SecurityHomeAliases :
Email-Worm:W32/Sober.AA is also known as Email-Worm.Win32.Sober.aa, Worm:Win32/Sober.AH@mm.
Explanation :
Sober.AA is a mass mailing worm that uses English and German texts in the e-mails generated by this worm.
Installation to the System
Upon execution, this worm creates the folder PoolData in the Windows directory. It then creates several copies of itself as follows:
- csrss.exe
- services.exe
- smss.exe
These files are identical to each other with a single byte difference located at offset 0xA0.
This worm also creates the following Registry entries in order to enable its automatic execution upon system start up:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
_WinData = "[Windows directory]PoolDataservices.exe" - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
WinData = "[Windows directory]PoolDataservices.exe"
Spreading via E-mail messages
Before spreading, this worm scans files with certain extensions on all hard disk drives to harvest e-mail addresses. All files with the following extensions are scanned:
- abc
- abd
- abx
- adb
- ade
- adp
- adr
- asp
- bak
- bas
- cfg
- cgi
- cls
- cms
- csv
- ctl
- dbx
- dhtm
- doc
- dsp
- dsw
- eml
- fdb
- frm
- hlp
- imb
- imh
- imh
- imm
- inbox
- ini
- jsp
- ldb
- ldif
- log
- mbx
- mda
- mdb
- mde
- mdw
- mdx
- mht
- mmf
- msg
- nab
- nch
- nfo
- nsf
- nws
- ods
- oft
- php
- phtm
- pl
- pmr
- pp
- ppt
- pst
- rtf
- shtml
- slk
- sln
- stm
- tbb
- txt
- uin
- vap
- vbs
- vcf
- wab
- wsh
- xhtml
- xls
- xml
This worm creates the following files, where the system harvested e-mail addresses are stored:
- spxttx1.xnt
- spxttx2.xnt
- spxttx3.xnt
It can then send e-mails with English and German based text together with a Zip archived copy of itself as an attachment.
It ignores any email addresses that contain any of the following substrings:
- america.hm
- arcor.de
- asia
- australiamail
- Avast
- bluewin.ch
- cia.gov
- e-mail.dk
- F-Secure
- gmail
- heise.de
- icqmail
- lycos
- newyork
- sophos
- swissinfo.org
- trendMicro
- webmails
- zonnet.nl
The worm composes the following German messages:
Subject:
- Ihr Passwort wurde geaendert!
Body:
- Ihr Passwort wurde erfolgreich geaendert.
Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!
**-** Web: http://www.[spoofed]
**-** E-Mail: [spoofed]
Attachment:
- Passw_Data.zip
--- or ---
Subject:
- Fehlerhafte Mailzustellung
Body:
- Diese Nachricht wurde Automatisch generiert.
- Ihre EMail konnte nicht empfangen oder gesendet werden.
- Mail-Text sowie Mail-Header befinden sich im Anhang.
*** auto mailerdaemon XPath 7
*** (c) by [spoofed]
Attachment:
- Mail_Data.zip
--- or ---
Subject:
- Ihr Account wurde eingerichtet!
Body:
- Danke das Sie sich fuer uns entschieden haben.
Um ihren neuen Account zu aktivieren, folgen sie der kurzen Anleitung im Anhang. Es sind nur 2 Schritte noetig!
***** Web: http://www.[spoofed]
***** E-Mail: [spoofed]
Attachment:
- Anleitung.zip
It also composes the following English messages:
Subject:
- Your Updated Password!
Body:
- You notified us that you have forgotten your password.
We have changed your password to a random sequence of letters and digits!
For more detailed information, see the attached password file ...
**** Web: http://www. [spoofed]
**** eMail: [spoofed]
Attachment:
- Passw_Data.zip
--- or ---
Subject:
- Error in your eMail
Body:
- Your eMail has occurred an unknown error on our Server.
Please read your mail and check the text.
The full email is attached!
*** auto mailerdaemon X.Path 4.2
*** (c) by [spoofed]
Attachment:
- Mail_Data.zip
These e-mail messages may appear to come from the following senders:
- Admin
- Hostmaster
- Postmaster
- Webmaster
Last update 11 April 2007