Aliases

Email-Worm.Win32.Sober.q (Kaspersky Lab) is also known as: Worm.Win32.Sober.q (Kaspersky Lab), W32/Sober.gen@MM (McAfee),   Trojan.Ascetic.C (Symantec),   Win32.HLLM.Generic.355 (Doctor Web),   Troj/Sober-Q (Sophos),   WORM_SOBER.U (Trend Micro),   Worm/Sober.Q (H+BEDV),   W32/Sober.P@mm (FRISK),   I-Worm/Sober.Q (Grisoft),   Win32.Sober.Q@mm (SOFTWIN),   Worm.Sober.Q (ClamAV),   Trj/Sober.W (Panda),   Win32/Sober.P (Eset)

Detection added	May 14 2005 18:47 GMT
Description added	May 16 2005
Behavior	Email Worm

Technical details

This worm is written using the source code of Email-Worm.Win32.Sober. However, it is unable to self-replicate (previous versions of Sober have spread as attachments to infected messages.) Instead of replicating, Sober.q sends right wing spam to victims.

The worm itself is a PE EXE file, written in Visual Basic and packed using UPX. The packed file is approximately 53KB in size, and the unpacked file is approximately 158KB in size. Sober.q infects computers which have been infected by Sober.p - Sober.p downloads Sober.q from a range of sites.

Installation

Once launched, the virus copies itself to the %WINDIR%\Help\Help under the following names:

csrss.exe
services.exe
smss.exe

The virus then registers these files in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
SystemBoot=%windir%\help\help\services.exe

This ensures that a copy of the worm will be launched each time Windows is rebooted on the victim machine.

Sober.q also changes the registry key:

[...\exefile\shell\open\command]

which ensures that the worm will gain control whenever any executable file is launched on the infected machine.

It also drops the following files:

adcmmmmq.hjg
fastso.ber
gdfjgthv.cvq
langeinf.lin
sacri2.ggg
sacri3.ggg
sysonce.tst
seppelmx.smx
xcvfpokd.tqa

The worm scans files with the following extensions:

abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp

imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods

oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml

and harvests email addresses from these files. Harvested addresses are saved in files with the following names:

voner1.von
voner2.von
voner3.von

However, Sober.q does not harvest addresses which contain the following text:

.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
-dav
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google

host.
iana-
iana@
icrosoft.
ipt.aol
law2
linux
mailer-daemon
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
reciver@
secure
smtp-
somebody
someone
spybot
sql.
subscribe
t-dialin
test@
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname

The worm also creates a file called %system%\Spammer.ReadMe, which contains the following:

[link]
[link]

Ich bin immer noch kein Spammer!
Aber sollte vielleicht einer werden :)

In diesem Sinne

The worm sends German spam to addresses with the following domains:

at
ch
de
gmx
li

Recipients in all other domains receive messages in English. The worm has several dozen different messages and links coded into it, so messages vary widely. However, all messages and links have a right wing topic, and lead to right wing sites.

Payload

In a similar way to previous versions, Sober.Q monitors a fixed list of NTP servers, and synchronizes system time and date with these servers. If the date is 11.5.2005 or later, it will attempt to download and execute files from one of the following addresses:

free.pages.at
home.arcor.de
home.pages.at
people.freenet.de
scifi.pages.at

Sober.q also attempts to terminate applications which contain the following text strings:

fxsob
gcas
gcip
giantanti
inetupd.
microsoftanti
hijack
nod32kui
nod32.
sober
s-t-i-n-g