Home / malwarePDF  

Email-Worm:W32/Sober.D


First posted on 27 July 2010.
Source: SecurityHome

Aliases :

There are no other names known for Email-Worm:W32/Sober.D.

Explanation :

A worm that spreads via e-mail, usually in infected executable e-mail file attachments.

Additional DetailsEmail-Worm:W32/Sober.D was found in Germany on early morning of March 8th, 2004. Similar to previous Sober variants, it sends emails in both German and English. Sober.D pretends to be a MS update to remove the MyDoom worm. The worm spreads itself as an EXE attachment or inside a ZIP archive.

The worm is written in Visual Basic. The worm's file is packed with a modified version of UPX file compressor. It has its own SMTP engine that it uses to send out infected e-mail messages.


Installation

When the worm's file is started on a clean system, it shows the following messagebox:



If the worm's file is started on an already infected computer, the following messagebox is shown:



Please note that the file name in the messagebox's caption may vary depending on the worm's executable attachment name.

The worm copies itself to Windows System folder once, with a semi-randomly generated name and creates a startup key for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file:

€ sys € host € dir € explorer € win € run € log € 32 € disc € crypt € data € diag € spool € service € smss32
The worm creates a file named MSLOGS32.DLL, where it stores all e-mail addresses harvested from an infected computer. The worm also creates 3 empty files in the same folder:

€ HUMGLY.LKUR € ZMNDPGWF.KXX € YFJH.YQWM
Additionally the worm creates 2 mime-encoded copies of its executable file and a ZIP archive in Windows System folder with the following names:

€ WINTMPX33.DAT € TEMP32X.DATA
The worm creates several startup Registry keys its semi-randomly named file in System Registry:

€ [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] € [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.

Propagation (E-mail)

The worm scans files with certain extensions on all hard disks to harvest e-mail addresses. Files with the following extensions are scanned:

€ ini € log € mdb € tbb € abd € adb € pl € rtf € doc € xls € txt € wab € eml € php € asp € shtml € dbx € wab € tbb € abd € adb € pl
The worm saves all found e-mail addresses to MSLOGS32.DLL file located in Windows System folder. This is an ASCII file, not a binary file.

The worm sends e-mail messages with German and English texts. When sending a message to an e-mail address, that has domain suffix DE, CH, AT, LI, NL or BE as well as the e-mail address contains '@GMX' substring, the worm uses German text strings, otherwise it composes a message in English.

Here's how the English e-mail sent by the worm looks like:

Subject:
Microsoft Alert: Please Read!

Body:
New MyDoom Virus Variant Detected!

A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through
the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains
the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.

+++ c2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19

Here's how the German e-mail sent by the worm looks like:

Subject:
Microsoft Alarm: Bitte Lesen!

Body:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.

Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorganger verschickt sich der Wurm von infizierten Windows-
Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner!
Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des
W32.Mydoom alias W32.Novarg.

Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schadling
zu schutzen!

+++ c2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

The sender's address is faked. The sender's name can be one of the following:

€ Info € Center € UpDate € News € Help € Studio € Alert € Patch € Security
The domain of the sender's name always has '@microsoft' string followed by '.DE' or '.AT' suffixes for German messages and by '.COM' suffix for English messages.

The worm sends itself as an attachment with EXE extension or inside a ZIP archive. The attachment name varies and can contain one of the following:

€ Patch € MS-Security € MS-UD € UpDate € sys-patch
Additionally the attachment name can contain random numbers.

The worm avoids sending messages to e-mail addresses containing one of the following:

€ abuse € winrar € domain. € host. € viren € bitdefender € spybot € hotmail € detection € ewido. € emsisoft € linux € google € @foo. € winzip € @arin € mozilla € @iana € @avp € @msn. € microsoft. € @sophos € @panda € symant € ntp- € ntp@ € @ntp. € @kaspers € free-av € antivir € virus € verizon. € @ikarus. € @nai € @messagelab € clock € info@ € t-online

Detection

Detection of Sober.D worm is available in the following FSAV updates:

[FSAV_Database_Version]
Version=2004-03-08_01

Last update 27 July 2010

 

TOP