W32/Sober.b@MM

-- Update 18th December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at:
http://www.pcworld.idg.com.au/index.php?id=1125097465&fp=2&fpid=1

This detection is for a mass-mailing worm written in Visual Basic. Similar to its predecessor (W32/Sober.a@MM ) the worm bears the following characteristics:

• contains its own SMTP engine
• target email addresses are harvested from the victim machine
• the worm may carry garbage at end of file, so the file size may be larger than 54,784 bytes.
• outgoing messages may be formatted with varying subject lines and message bodies (in English and German)
• two processes run on the victim machine in order to ensure the worm stays memory resident. Upon termination of one of the processes, the other process restarts it very quickly.

Mail Propagation

The worm extracts target email addresses from the victim machine, and writes them to the file MSCOLMON.OCX in the %SysDir% . For example:

• C:\WINNT\SYSTEM32\MSCOLMON.OCX

Outgoing messages are constructed using the worm's own SMTP engine. The messages may be written in either English or German, and the attachment may be of varying filename.

Messages are formatted with various subject lines, body contents and attachment filenames. These include the following examples:

Subject Lines:

• Hihi, ich war auf deinem Computer.
• Du bist Ge-Hackt worden
• Ich habe Sie Ge-Hackt
• Der Kannibale von Rotenburg
• You Got Hacked
• George W. Bush plans new wars
• George W. Bush wants a new war
• Have you been hacked?

Attachment:

• DATEN-TEXT.PIF
• DATEILIST.PIF
• SERVER.COM
• YOURLIST.PIF
• WWW.GWBUSH-NEW-WARS.COM
• WWW.HCKET-USER-PCS.COM
• ALLFILES.CMD

Installation

Upon execution, one of various possible fake error messages are displayed. For example:

The worm installs itself into %SysDir% on the victim machine:

• %SysDir%\SPOOLER.EXE

Additionally, and in common with W32/Sober.a@MM , two other copies of the worm are dropped into %SysDir% , with varying filename. For example:

• %SysDir%\EKQVDLASVC.EXE
• %SysDir%\RZHCRYPT.EXE
• %SysDir%\ENDSVC.EXE
• %SysDir%\SVCDLL.EXE

These two latter files are responsible for monitoring and maintaining that the worm stays resident in memory.  Upon termination of one worm processes, another copy will restart the terminated process very quickly.

System startup is hooked via the two Registry keys, hooking one of these latter copies of the worm. For example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ENDSVC.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "(string)" = %SysDir%\ENDSVC.EXE

Where "string" varies between infections.

The following file is also dropped to the victim machine (0 bytes in testing):

• %SysDir%\HUMGLY.LKUR

• Existence of the files/Registry keys detailed above
• Observation of fake error messages, such as those detailed above

This worm is intended to propagate via emailing itself to email addresses extracted from the victim machine.

It constructs outgoing messages (with varying subject lines, attachment names and message bodies) using its own SMTP engine.

As with its predecessor, this variant employs two processes on the victim machine in an attempt to avoid its termination. When one process is killed, the other immediately restarts it.

All Users :
AVERT considers this to be a low risk threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations