Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Sober.y

Other versions: .a, .c, .e, .f, .g, .j, .n, .p, .q, .s, .v

Detection added Nov 16 2005
Description added Nov 23 2005
CME-ID CME-681
Behavior Email Worm
Technical details

This worm spreads via the Internet as an attachment to infected messages. It sends itself to addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file written in Visual Basic and packed using UPX. The packed file is 55390 bytes in size and the unpacked file is 198750 bytes in size.

Installation

Once launched, the worm causes a fake error message to be displayed.

When installing, the worm creates a folder named "WinSecurity" in the Windows root directory. It copies itself to this folder 3 times under the following names:

%Windir%\WinSecurity\csrss.exe
%Windir%\WinSecurity\services.exe
%Windir%\WinSecurity\smss.exe

The worm also creates the following files in the same folder:

%Windir%\WinSecurity\mssock1.dli
%Windir%\WinSecurity\mssock2.dli
%Windir%\WinSecurity\mssock3.dli
%Windir%\WinSecurity\winmem1.ory
%Windir%\WinSecurity\winmem2.ory
%Windir%\WinSecurity\winmem3.ory

Email addresses harvested from the victim machine will be saved in these files.

The worm then registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows" = "%Windir%\WinSecurity\services.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"_Windows" = "%Windir%\WinSecurity\services.exe"

The worm also creates copies of itself in base64. The copies have the following names: 

%Windir%\WinSecurity\socket1.ifo
%Windir%\WinSecurity\socket2.ifo
%Windir%\WinSecurity\socket3.ifo

The worm also creates empty files in the Windows system directory. The empty files have the following names: 

%System%\bbvmwxxf.hml
%System%\filesms.fms
%System%\langeinf.lin
%System%\nonrunso.ber
%System%\rubezahl.rub
%System%\runstop.rst

Propagation via email

The worm sends itself to addresses harvested from files with the following extensions:

abc 
abd 
abx 
adb 
ade 
adp 
adr 
asp 
bak 
bas 
cfg 
cgi 
cls 
cms 
csv 
ctl 
dbx
dhtm 
doc 
dsp 
dsw 
eml 
fdb 
frm 
hlp 
imb 
imh 
imh 
imm 
inbox 
ini 
jsp 
ldb 
ldif 
log 
mbx 
mda 
mdb 
mde 
mdw 
mdx 
mht 
mmf 
msg 
nab 
nch 
nfo 
nsf 
nws 
ods 
oft 
php 
phtm 
pl 
pmr 
pp 
ppt 
pst 
rtf 
shtml 
slk 
sln 
stm 
tbb 
txt 
uin 
vap 
vbs 
vcf 
wab 
wsh 
xhtml 
xls 
xml

It establishes a direct connection to the recipient's SMTP server to send messages.

It does not harvest addresses containing the following text strings:

aero 
com 
coop 
edu 
gov 
info
int 
museum 
name 
net 
org 
pro

Infected messages

The worm arrives in a ZIP archive attached to infected messages. The archive contains the worm's executable file. If the recipient's address contains the following strings:

.at
.ch
.de
.gmx
.li
The sender field may contain the following strings:

@bka
@cia
@fbi
@rtl

Example of an infected message:

Message subject

  • Account Information

  • Ermittlungsverfahren wurde eingeleitet

  • hi, ive a new mail address

  • Ihr Passwort

  • Mail delivery failed

  • Mailzustellung wurde unterbrochen

  • Paris Hilton & Nicole Richie

  • Registration Confirmation

  • RTL: Wer wird Millionaer

  • Sehr geehrter Ebay-Kunde

  • Sie besitzen Raubkopien

  • smtp mail failed

  • SMTP Mail gescheitert

  • You visit illegal websites

  • Your IP was logged

  • Your Password

Message body

  • Account and Password Information are attached!
    ***** Go to: http://www.[recipient's domain name]
    ***** Email: postman@[recipient's domain name]

  • Protected message is attached!
    ***** Go to: http://www.[recipient's domain name]
    ***** Email: postman@[recipient's domain name]

  • This is an automatically generated Delivery Status Notification.

    SMTP_Error []
    I'm afraid I wasn't able to deliver your message.
    This is a permanent error; I've given up. Sorry it didn't work out.

    The full mail-text and header is attached!

  • hey its me, my old address dont work at time. i dont know why?!
    in the last days ive got some mails. i' think thaz your mails but im not sure!
    plz read and check ...
    cyaaaaaaa

  • Dear Sir/Madam,

    we have logged your IP-address on more than 30 illegal Websites.

    Important:
    Please answer our questions!
    The list of questions are attached.

    Yours faithfully,
    Steven Allison

    *** Federal Bureau of Investigation -FBI-
    *** 935 Pennsylvania Avenue, NW, Room 3220
    *** Washington, DC 20535
    *** phone: (202) 324-3000
    Dear Sir/Madam,

    we have logged your IP-address on more than 30 illegal Websites.

    Important:
    Please answer our questions!
    The list of questions are attached.

    Yours faithfully,
    Steven Allison

    ++++ Central Intelligence Agency -CIA-
    ++++ Office of Public Affairs
    ++++ Washington, D.C. 20505
    ++++ phone: (703) 482-0623
    ++++ 7:00 a.m. to 5:00 p.m., US Eastern time

  • The Simple Life:

    View Paris Hilton & Nicole Richie video clips , pictures & more ;)
    Download is free until Jan, 2006!

    Please use our Download manager.

  • Ihre Nutzungsdaten wurden erfolgreich geaendert. Details entnehmen Sie bitte dem Anhang.

    *** http://www.[recipient's domain name]
    *** E-Mail: PassAdmin@[recipient's domain name]

  • Sehr geehrte Dame, sehr geehrter Herr,

    das Herunterladen von Filmen, Software und MP3s ist illegal und somit strafbar.
    Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unt er der IP erfasst wurde. Der Inhalt Ihres Rechner wurde als Beweismittel sichergestellt und es wird ein Ermit

    Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen in den naechsten Tagen schriftlic

    Aktenzeichen NR.:# (siehe Anhang)

    Hochachtungsvoll
    i.A. Juergen Stock

    --- Bundeskriminalamt BKA
    --- Referat LS 2
    --- 65173 Wiesbaden
    --- Tel.: +49 (0)611 - 55 - 12331 oder
    --- Tel.: +49 (0)611 - 55 – 0

  • Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
    Sie sitzen demnaechst bei Guenther Jauch im Studio!
    Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

    +++ RTL interactive GmbH
    +++ Geschaeftsfuehrung: Dr. Constantin Lange
    +++ Am Coloneum 1
    +++ 50829 Koeln
    +++ Fon: +49(0) 221-780 0 oder
    +++ Fon: +49 (0) 180 5 44 66 99

Attachment name:

admin.zip
akte.zip
downloadm.zip
ebay.zip
email.zip 
email_text.zip 
hostmaster.zip
info.zip
list.zip
mail.zip 
mail_body.zip 
mailtext.zip 
postman.zip
postmaster.zip
question_list.zip
reg_pass.zip 
reg_pass-data.zip 
service.zip
webmaster.zip

Other

Email-Worm.Win32.Sober.y will terminate processes if the process names contain the following strings:

aswclnr
avwin.
brfix
fxsbr
gcas
gcip
giantanti
guardgui.
hijack
inetupd.
microsoftanti
nod32.
nod32kui
s_t_i_n
sober
s-t-i-n
stinger

It will also search for and terminate a process called “MRT.EXE” (Microsoft Windows Malicious Software Removal Tool).

 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com