Email-Worm:W32/Sober.D

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

W32/Sober.D@mm

Summary

A worm that spreads via email, usually in infected executable email file attachments.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/Sober.D was found in Germany on early morning of March 8th, 2004. Similar to previous Sober variants, it sends emails in both German and English. Sober.D pretends to be a MS update to remove the MyDoom worm. The worm spreads itself as an EXE attachment or inside a ZIP archive. The worm is written in Visual Basic. The worm's file is packed with a modified version of UPX file compressor. It has its own SMTP engine that it uses to send out infected email messages.

Installation

If the worm's file is started on an already infected computer, the following messagebox is shown:

Please note that the file name in the messagebox's caption may vary depending on the worm's executable attachment name.

The worm copies itself to Windows System folder once, with a semi-randomly generated name and creates a startup key for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file:

  • sys
  • host
  • dir
  • explorer
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

The worm creates a file named MSLOGS32.DLL, where it stores all email addresses harvested from an infected computer. The worm also creates 3 empty files in the same folder:

  • HUMGLY.LKUR
  • ZMNDPGWF.KXX
  • YFJH.YQWM

Additionally the worm creates 2 mime-encoded copies of its executable file and a ZIP archive in Windows System folder with the following names:

  • WINTMPX33.DAT
  • TEMP32X.DATA

The worm creates several startup Registry keys its semi-randomly named file in System Registry:

  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.

Propagation (email)
  • ini
  • log
  • mdb
  • tbb
  • abd
  • adb
  • pl
  • rtf
  • doc
  • xls
  • txt
  • wab
  • eml
  • php
  • asp
  • shtml
  • dbx
  • wab
  • tbb
  • abd
  • adb
  • pl

The worm saves all found email addresses to MSLOGS32.DLL file located in Windows System folder. This is an ASCII file, not a binary file.

The worm sends email messages with German and English texts. When sending a message to an email address, that has domain suffix DE, CH, AT, LI, NL or BE as well as the email address contains '@GMX' substring, the worm uses German text strings, otherwise it composes a message in English.

Here's how the English email sent by the worm looks like:

Subject:
Microsoft Alert: Please Read!
Body:New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly throughthe Internet. Anti-virus vendor Central Command claims that 1 in 45 emails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.Protection: Please download this digitally signed attachment. This Update includes the functionality of previously released patches. +++ c2004 Microsoft Corporation. All rights reserved. +++ One Microsoft Way, Redmond, Washington 98052 +++ Restricted Rights at 48 CFR 52.227-19

Here's how the German email sent by the worm looks like:

Subject:
Microsoft Alarm: Bitte Lesen!
Body:Neue Virus-Variante W32.Mydoom verbreitet sich schnell.Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet. Wie seine Vorganger verschickt sich der Wurm von infizierten Windows- Rechnern per email an weitere Adressen. Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner! Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schadling zu schutzen!
 +++ c2004 Microsoft Corporation. Alle Rechte vorbehalten. +++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1 +++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

The sender's address is faked. The sender's name can be one of the following:

  • Info
  • Center
  • UpDate
  • News
  • Help
  • Studio
  • Alert
  • Patch
  • Security

The domain of the sender's name always has '@microsoft' string followed by '.DE' or '.AT' suffixes for German messages and by '.COM' suffix for English messages.

The worm sends itself as an attachment with EXE extension or inside a ZIP archive. The attachment name varies and can contain one of the following:

  • Patch
  • MS-Security
  • MS-UD
  • UpDate
  • sys-patch

Additionally the attachment name can contain random numbers.

The worm avoids sending messages to email addresses containing one of the following:

  • abuse
  • winrar
  • domain.
  • host.
  • viren
  • bitdefender
  • spybot
  • hotmail
  • detection
  • ewido.
  • emsisoft
  • linux
  • google
  • @foo.
  • winzip
  • @arin
  • mozilla
  • @iana
  • @avp
  • @msn.
  • microsoft.
  • @sophos
  • @panda
  • symant
  • ntp-
  • ntp@
  • @ntp.
  • @kaspers
  • free-av
  • antivir
  • virus
  • verizon.
  • @ikarus.
  • @nai
  • @messagelab
  • clock
  • info@
  • t-online