Email-Worm:W32/Sober.F
Summary
A worm that spreads via email, usually in infected executable email file attachments.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Email-Worm:W32/Sober.F is written in Visual Basic. The worm's file is a PE executable of length 42496 bytes, packed with a modified version of UPX file compressor. The worm has its own SMTP engine that it uses to send out infected email messages.
Installation
When the worm's file is run, it opens Notepad with a text file as a disguise:
Then the worm installs itself to system. It copies itself to Windows System folder once, with a semi-randomly generated name and creates 2 startup keys for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file and the name of the startup key:
- sys
- host
- dir
- expolrer
- win
- run
- log
- 32
- disc
- crypt
- data
- diag
- spool
- service
- smss32
The worm also creates 3 empty files in the same folder:
- zhcarxxi.vvx
- zmndpgwf.kxx
- bcegfds.lll
These files disable previous Sober variants if they are installed on an affected computer.
The worm creates a startup Registry key to its semi-randomly named file in System Registry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.
Activity
Sober.F worm constantly checks a hard drive for the presence of the file named CVQAIKXT.APK. If this file is found, the worm unloads itself from memory. Also if this file is present on a hard disk during the worm's installation process, the worm does not copy itself to a hard drive.
Sober.F denies access to its data and executable files if it is active in Windows memory.
email (Propagation)
The worm scans files with certain extensions on all hard disks to harvest email addresses. Files with the following extensions are scanned:
- ctl
- dhtm
- cgi
- pp
- ppt
- msg
- jsp
- oft
- vbs
- uin
- ldb
- abc
- pst
- cfg
- mdw
- mbx
- mdx
- mda
- adp
- nab
- fdb
- vap
- dsp
- ade
- sln
- dsw
- mde
- frm
- bas
- adr
- cls
- ini
- ldif
- log
- mdb
- xml
- wsh
- tbb
- abx
- abd
- adb
- pl
- rtf
- mmf
- doc
- ods
- nch
- xls
- nsf
- txt
- wab
- eml
- hlp
- mht
- nfo
- php
- asp
- shtml
- dbx
The worm can send messages chosen from variety of templates in English and German. Some of the messages will attempt tp appear to the eyes of the users as harmless error messages. Possible text appearing in those messages is:
- Hi, it's me
- hey you
- damn!
- Well, surprise?!
- Faulty mail delivery
- Mail delivery failed
- Mail Error
- Illegal signs in Mail-Routing
- Connection failed
- Invalid mail sentence length
- Mail Delivery failure
- Message Error
- mail delivery status
- Confirmation Required
- Bad Gateway
- Warning!
- Your document
- I was surprised, too! :-(
- Who could suspect something like that?
- shock
- All OK :)
- Police
- see, what i've found!
- Textdocument
- hi its me
- i've found a shity virus on my pc. check your pc, too!
- follow the steps in this article.
- anitv_text
- instructions
- your_article
- Registration confirmation
- I 've told you!:-) sometime I grab your passwords!
- your_passwords
- I hope you accept the result!
- Follow the instructions to read the message.
- Please read the document
- messagedoc
- webmaster
- admin
- information
- Confirmation
- Your Password
- Your mail account
- Your password was changed successfully.
- Protected message is attached.
7.28.114.32_failed_after_I_sent_the_message./Remote_host_said: _554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered ._This_account_has_been_disabled_or_discontinued_[#102]._-_ mta134.mail. dcn.com ** End of Transmission The original message is a separate attachment. --- Mail To: UserHelp Error_Info _attach Read the attachment for details. Bad Gateway: The message has been attached. +++ A service of +++ Mail: home -attachment The message has been attached. attach-message Database #Error -- Partial message is available! -- Error: llegal signs in Mail-Routing -- Mail Server: ESMTP VX32.9 Version Betha Alpha
It also composes messages in such a way that they look as if scanned by some Anti-Virus and found clean. Messages will resemble:
++++ Im www erreichbar unter: http://www.[url chosen by the worm] ++++ email: [email chosen by the worm] *** Anti- Virus: Es wurde kein Virus erkannt *** [name chosen by the worm] Virenschutz *** http://www.[url chosen by the worm]
The text can be preceded by some other german sentence, and some of the strings may also differ from message to message.