W32/Sober.p@MM

This page shows details and results of our analysis on the malware W32/Sober.p@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4443 (2005-03-09)

Updated DAT

4633 (2005-11-21)

Minimum Engine

5400.1158

File Length

53,727 bytes (zip)
53,554 bytes (executable)

Description Added

2005-05-02

Description Modified

2005-05-20

Malware Proliferation

Characteristics

-- Update 20th May, 2005--
This threat has been downgraded to Low-Profiled risk due to a decrease in prevalence.

-- Update 2nd May 13:00 PST --
Due to increased prevalence, this threat has had its risk assessment raised to MEDIUM for Home Users.

If you think that you may be infected with Sober.p, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This threat is proactively detected with the 4443 DAT files, or newer, as W32/Sober.gen@MM.

This threat arrives in an email message with one of the following attachment names:

  • account_info.zip
  • autoemail-text.zip
  • LOL.zip
  • Fifa_Info-Text.zip
  • mail_info.zip
  • okTicket-info.zip
  • our_secret.zip
  • _PassWort-Info.zip

Inside the ZIP archive is a file named winzipped-text_data.txt           .pif

Like many Sober variants, this variant uses several different email messages randomly, in either English or German depending on the version of Windows.  One such German message states that the recipient has won tickets to the worldcup:

Subject : WM-Ticket-Auslosung
Body:
Herzlichen Glueckwunsch,

beim Run auf die begehrten Tickets fr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.

Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

Ihr "ok2006" Team
St. Rainer Gellhaus


--- FIFA-Pressekontakt:
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

An example of a randomly generated English message is as follows:

Subject:  Your Password
Body:
Account and Password Information are attached!

Visit: http://www. {sender's domain}

*** AntiVirus: No Virus found
*** "{recipient's domain} " Anti-Virus
*** http://www. {recipient's domain}

Symptoms

Visual Symptoms
When the ZIP archive is extracted and the contained PIF file is manually executed, the virus may display a fake error message:

Registry Symptoms
The worm copies itself to a newly created directory in the WINDOWS directory and creates registry run keys to load itself at system startup.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe

File Symptoms
The following files are created:

  • c:\WINDOWS\Connection Wizard\Status\fastso.ber
  • c:\WINDOWS\system32\adcmmmmq.hjg
  • c:\WINDOWS\system32\langeinf.lin
  • c:\WINDOWS\system32\nonrunso.ber
  • c:\WINDOWS\system32\seppelmx.smx
  • c:\WINDOWS\system32\xcvfpokd.tqa

The following files are MIME encoded versions of the worm in a ZIP file:

  • c:\WINDOWS\Connection Wizard\Status\packed1.sbr
  • c:\WINDOWS\Connection Wizard\Status\packed2.sbr
  • c:\WINDOWS\Connection Wizard\Status\packed3.sbr

The following files contain email related data (such as domain names)

  • c:\WINDOWS\Connection Wizard\Status\sacri1.ggg
  • c:\WINDOWS\Connection Wizard\Status\sacri2.ggg
  • c:\WINDOWS\Connection Wizard\Status\sacri3.ggg
  • c:\WINDOWS\Connection Wizard\Status\voner1.von
  • c:\WINDOWS\Connection Wizard\Status\voner2.von
  • c:\WINDOWS\Connection Wizard\Status\voner3.von

The following files are copies of the worm:

  • c:\WINDOWS\Connection Wizard\Status\csrss.exe
  • c:\WINDOWS\Connection Wizard\Status\services.exe
  • c:\WINDOWS\Connection Wizard\Status\smss.exe

Network Symptoms
The worm attempts to contact different TIME servers (TCP 37):

  • cuckoo.neveda.edu
  • ntp.lth.se
  • ntp.massayonet.com.br
  • ntp.pads.ufrj.br
  • ntp1.arnes.si
  • ntp-1.ece.cmu.edu
  • ntp-2.ece.cmu.edu
  • rolex.peachnet.edu
  • rolex.usg.edu
  • sundial.columbia.edu
  • tim.kfki.hu
  • time.nist.gov
  • time.windows.com
  • time.xmission.com
  • time-a.timefreq.bldrdoc.gov
  • time-ext.missouri.edu
  • time-ext.missouri.edu
  • timelord.ureqina.ca
  • time-server.ndo.com
  • utcnist.colorado.edu

Method of Infection

This worm spreads via email.  It sends itself to email addresses that are harvested from files containing the following extensions:

  • pmr
  • phtm
  • stm
  • slk
  • inbox
  • imb
  • csv
  • bak
  • imh
  • xhtml
  • imm
  • imh
  • cms
  • nws
  • vcf
  • ctl
  • dhtm
  • cgi
  • pp
  • ppt
  • msg
  • jsp
  • oft
  • vbs
  • uin
  • ldb
  • abc
  • pst
  • cfg
  • mdw
  • mbx
  • mdx
  • mda
  • adp
  • nab
  • fdb
  • vap
  • dsp
  • ade
  • sln
  • dsw
  • mde
  • frm
  • bas
  • adr
  • cls
  • ini
  • ldif
  • log
  • mdb
  • xml
  • wsh
  • tbb
  • abx
  • abd
  • adb
  • pl
  • rtf
  • mmf
  • doc
  • ods
  • nch
  • xls
  • nsf
  • txt
  • wab
  • eml
  • hlp
  • mht
  • nfo
  • php
  • asp
  • shtml
  • dbx

While avoiding addresses containing the following strings:

  • @www
  • @from.
  • smtp-
  • @smtp.
  • ftp.
  • .dial.
  • .ppp.
  • anyone
  • @gmetref
  • sql.
  • someone
  • nothing
  • you@
  • user@
  • reciver@
  • somebody
  • secure
  • whatever@
  • whoever@
  • anywhere
  • yourname
  • mustermann@
  • mailer-daemon
  • variabel
  • noreply
  • -dav
  • law2
  • .qmail@
  • freeav
  • @ca.
  • abuse
  • winrar
  • domain.
  • host.
  • viren
  • bitdefender
  • spybot
  • detection
  • ewido.
  • emsisoft
  • linux
  • @foo.
  • winzip
  • @example.
  • bellcore.
  • @arin
  • @iana
  • @avp
  • icrosoft.
  • @sophos
  • @panda
  • @kaspers
  • free-av
  • antivir
  • virus
  • verizon.
  • @ikarus.
  • @nai.
  • @messagelab
  • nlpmail01.
  • clock

Removal

All Users
Use the latest
engine and DAT files for detection and removal.  On-Demand Scans should always include scanning memory, which may be required to detect and remove this threat.

4.3.20 scan engine users:

Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:
  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Run a system scan using the specified engine/DATs.
  3. Delete files flagged as infected
  4. Restart machine in default mode.

Stinger
Stinger has been updated to detect and remove this threat.  Sober.p is "Stinger.exe" aware, therefore the executeable must be named something other than Stinger.exe.  The download link has been changed to s-t-i-n-g-e-r.exe for this reason.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. The filename used by the worm is SERVICES.EXE
  3. Delete this file from your Windows System directory (typically C:\WINDOWS\Connection Wizard\Status or C:\WINNT\Connection Wizard\Status).
  4. Delete the following files from the same directory:
      1. fastso.ber
      2. packed1.sbr
      3. packed2.sbr
      4. packed3.sbr
      5. sacri1.ggg
      6. sacri2.ggg
      7. sacri3.ggg
      8. voner1.von
      9. voner2.von
      10. voner3.von
      11. csrss.exe
      12. services.exe
      13. smss.exe
  5. Delete the following files from the %Sysdir% folder
      1. adcmmmmq.hjg
      2. langeinf.lin
      3. seppelmx.smx 
      4. xcvfpokd.tqa
  6. Edit the registry
    A similar string is constructed for using in the Registry modifications made to hook system startup.
    • Delete the following key:
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run\"_WinStart"
    • Delete the following value:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\RunOnce " WinStart"
  7. Reboot the system into Default Mode

Intrushield
An IntruShield User-Defined Signature (UDS) has been created to detect
this threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and
requires your to log into Service Portal before accessing it.

Variants