Sober.C is an email worm that sends itself as an attachment to email messages with different subject and body texts. Messages are composed from either German or English text strings depending on a recipient's domain suffix.
The worm can disguise itself as a message from a police, that allegedly found illegal movies, music and software on a user's computer. The worm's message tells that police filed a lawsuit against a user and a user is offered to read the rest of information in the attachment which has a .TXT.EXE extension. But the attachment contains only a sample of the worm. The worm can also send other kind of messages. Additionally, the worm has the functionality to spread in P2P (peer-to-peer) networks.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm is written in Visual Basic. The worm's file is packed with a modified version of UPX file compressor. It has its own SMTP engine and it is used to send out infected email messages.
When the worm's file is started, it shows a fake error message:
Runtime Errorhas caused an unknown error.
where <file_name> is the name of the worm's file. The messagebox can have a different caption and an additional text:
Microsofthas caused an unknown error. Stop: 00000010x08
The worm copies itself to Windows System folder 3 times, once with SYSHOSTX.EXE name, and 2 more times with semi-randomly generated names, for example DIREXSYS.EXE or DXINBHEXDAT.EXE. The worm uses the following fixed text strings to generate the name of its files:
Runtime Error has caused an unknown error.
The worm also creates a file named SAVESYSS.DLL, where it stores email addresses harvested from an infected computer. The worm also creates 2 files named HUMGLY.LKUR and YFJQ.YQWM in the same folder.
The worm creates several startup Registry keys for one of its semi-randomly named files in System Registry:
Runtime Error has caused an unknown error.
The worm also creates a startup key for its file in HKEY_USERS Registry tree:
[HKEY_USERS\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The subkey name that is created by the worm is semi-randomly generated. The value of a subkey is the path to one of the worm's files in Windows System folder.
The worm always has 2 of its tasks in System Memory. If one task is killed, it is immediately restarted by another one. Also the worm refreshes its startup keys in the Registry every few seconds. This makes manual disinfection of the worm more difficult. Is should be also noted that the worm blocks read access to its 2 semi-randomly named files and to SAVESYSS.DLL file as well.
The worm scans files with certain extensions to harvest email addresses. Files with the following extensions are scanned:
Runtime Error has caused an unknown error.
The worm saves all found email addresses to SAVESYSS.DLL file located in Windows System folder. This is an ASCII file, not binary.
The worm sends email messages with German and English texts. When sending a message to an email address, that has domain suffix DE, CH, AT, LI, NL or BE, the worm uses German text strings, otherwise it composes a message in English.
When sending messages in English, the worm can use the following subjects:
Runtime Error has caused an unknown error.
The worm uses the following arrays of text strings for English message bodies:
Runtime Error has caused an unknown error.
In English messages the worm can send itself as an attachment with the following names:
yourmail.txt.yourmail.doc. photos. test. reward. youtoo. set_config. downloader.exe www.freegames4you-gzone.com www.onlinegamerspro-worm.com idiot. painfulness. terror-list. www.boards4all-terror432.com account. credit card. yourregistration.txt. letters. refcode.txt. mangaconection. www.animepage43252.com www.anime4allfree.com
The worm can compose attachment names from the following parts:
Runtime Error has caused an unknown error.
For example an attachment name can be REMOVE-SMSS_TOOL.EXE.
The worm can use the following extensions (referenced above as <ext>) for the only or second extension of its attachment:
Runtime Error has caused an unknown error.
When sending messages in German, the worm can use the following subjects:
Runtime Error has caused an unknown error.
The worm uses the following arrays of text strings for German message bodies:
Runtime Error has caused an unknown error.
In German messages the worm can send itself as an attachment with the following names:
Klassenfoto.www.iq4you-german-test.com Kundendat.BaB. www.freewantiv.com SysDial-patch. aktenz.txt. haha_sehr_witzig. DrohMails. RTL-DSDS-anmelde. www.free4manga.com Zugangsdaten.txt. www.free4share4you.com sharedfree. www.tagespolitik-umfragen.com Abstimmen. test. alledigis. remove-
The worm can use the following extensions (referenced above as <ext>) for the only or second extension of its attachment:
Runtime Error has caused an unknown error.
Here's an example of a German message sent by the worm:
Body:
Runtime Error has caused an unknown error.
Attachment:
AKTENZ.TXT.EXE
The worm in some cases uses semi-randomly generated attachment names. For example the worm's attachment name for the above shown email can be AKTENZ36616.TXT.EXE.
The worm modifies its attachment to fool CRC-based detection: it can add random data to its file's end.
When active, the worm tries to locate shared folders of Kazaa, EMule and EDonkey2000. If such folders are located, the worm overwrites all executable files in those folders with its copy preserving the original file's size and name.