Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2010  
Jan Feb  
     
     
     
Virus Alert Danger Levels
Virus Alert Danger Levels

Wonder what the current virus alert means for your computer? Find out more about our Virus Alerts Threat Levels.

Free Removal Tools
Free Removal Tools

The Kaspersky Lab website removal tools section provides free utilities for removing dangerous viruses during an epidemic.
Antivirus Database Updates
Antivirus Database Updates

Kaspersky Anti-Virus users can always find the latest virus definitions in the database updates on the Kaspersky website.

 		 

  Home / Viruses / Alerts

Email-Worm.Win32.Sober.u, .v, .w

11.15.05 09:30 GMT   |  comment

Status : moderate risk

Kaspersky Lab has detected three new variants of Sober: Email-Worm.Win32.Sober.u, Email-Worm.Win32.Sober.v, and Email-Worm.Win32.Sober.w

The worm spreads as an attachment to infected messages. The attached file, which contains the body of the worm, is approximately 130KB in size.

Possible attachment names include:

Word-Text_packedList.exe
Word-Text_packedList.zip
Word-Text.zip
Reg-List-Dat_Packer2.exe
Exceltab-packed_List.exe
reg_text.zip
Liste.zip

Kaspersky Anti-Virus databases have been updated with detection for the three latest variants. Users are strongly recommended to update their antivirus databases.

Email-Worm.Win32.Sober.u

Several modified variants of this worm, which is written in Visual Basic, have been detected. There are only very minor differences. It is 139.040 KB in size. The actual worm is 129.568 bytes in packed size.

Installation

When the dropper is executed it drops the main file in to the Windows directory; the filename consists of eight (random) letters, varying for each Sober.u modification.

Sober creates the following directory:

%windir%\ConnectionStatus\Microsoft

A copy of the worm named services.exe is dropped into this directory.

The file residing in %windir% will then launch services.exe and close.

The following files are also created in %windir%\ConnectionStatus\Microsoft\:

concon.www - this file will contain the email addresses harvested from the system.
sacdata.dta - this file is empty

The following 0 bytes are created in %systemdir%:

bbvmwxxf.hml
gdfjgthv.cvq
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst

The worm creates the following registry keys to ensure that it gets executed during Windows startup:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" WinCheck"="%windir%\ConnectionStatus\Microsoft\services.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"_WinCheck"="%windir%\ConnectionStatus\Microsoft\services.exe"

The worm connects to a number of time servers to check the time and date.

Depending on the date the worm will perform one of two actions:

- Spread like an Email-Worm by sending out copies of itself
- Check specified sites for files to download

Propagation via email

The worm looks for email addresses to harvest, it does this from files with the following extensions:

pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

Sober.u spreads in two different languages, English and German.

It uses English for all domains except for those which have the following suffix:

.de
.ch
.at
.li

or the following string:

gmx.

Infected messages


English message:

Message subject:

Registration Confirmation

Thanks for your registration.
Your data are saved in the zipped Word.doc file!

Attachment name

registration.zip

German message:

Message subject:

Haben Sie diese EMail verschickt?

Message body:

Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen Sie zu erstatten!
Sie spinnen ja wohl! Die E-Mail hat meine Tochter gelesen!!!!!!
Ich habe Ihnen diese Word-Text Datei zu meiner Entlastung zurueckgeschickt.
Es waere von Vorteil, wenn Sie sich dazu aeussern wuerden!!

Attachment name:

Starts with: 

Word -Text

Other

This worm also drops another malicious file.

The worm drops not-a-virus:PSWTool.Win32.PassView.162 into the system directory.
This tool is used to spy on passwords.

Like previous variants, Sober.u uses an exclusive lock to make removal difficult.

Removal

Make sure your Kaspersky Anti-Virus bases are up to date.
Perform a full system scan and delete all files detected as Email-Worm.Win32.Sober.u and not-a-virus:PSWTool.Win32.PassView.162.

Related links
Analysis
Malware Evolution: October - December 2005
Malware Evolution: May Roundup
Blog
A Sober night
Sober.y increased activity
Sober steals your passwords
Sober.q has become active
Some info on Sober.q
Alerts
Email-Worm.Win32.Sober.y
Email-Worm.Win32.Sober.p
I-Worm.Sober.i
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com