Win32.Sober.N (CA.com)

Description Published: 2005. május 2.
Description Modified: 2005. május 2.

Threat Assessment

Overall Risk: Medium
Wild: Medium
Destructiveness: Low
Pervasiveness: High

Characteristics

Type: Worm
Category: Win32
Also known as Win32/Sober.53554!Worm, Win32.Sober.N!ZIP, Email-Worm.Win32.Sober.p (Kaspersky), W32/Sober.p@MM (McAfee)

Description

Win32.Sober.N is a worm that propagates via e-mail as an attachment. The email messages can be either in English or German. It has been distributed as a 53,554-byte, UPX packed Win32 executable and as a 53,728 byte ZIP archive.

Method of Infection
When executed the worm displays a message box:

and copies itself in to %Windows%Connection WizardStatus directory with the following file names:

csrss.exe
smss.exe
services.exe

the worm executes services.exe which than runs smss.exe and csrss.exe.

the worm sets the following registry values to ensure that it runs on every system boot:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun\_WinStart = ˝%Windows%Connection WizardStatusservices.exe˝
HKLMSoftwareMicrosoftWindowsCurrentVersionRun WinStart = ˝%Windows%Connection WizardStatusservices.exe˝
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce WinStart = ˝%Windows%Connection WizardStatusservices.exe %1˝

Note: ´%Windows%´ is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:Winnt; for 95,98 and ME is C:Windows; and for XP is C:Windows.

Method of Distribution
Via E-mail
The worm uses its own SMTP engine. It emails itself out as an executable or a zip archive attachment.

Possible attachment names are:

account_info-text.zip
account_info.zip
_PassWort-Info.zip
autoemail-text.zip
mail_info.zip
okTicket-info.zip
Fifa_Info-Text.zip
our_secret.zip
LOL.zip
Winzipped-Text_Data.txt .pif

The worm collects email addresses parsing the files on the infected system with the following extensions:

pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

The worm will not mail itself to the addresses, which contains any of the following strings:

ntp-
ntp@
ntp.
info@
test@
@www
@from.
support
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
announce
@gmetref
sql.
som
eone
nothing
you@
user@
reciver@
somebody
secure
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
noreply
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@example.
bellcore.
@arin
mozilla
iana@
iana-
@iana
@avp
icrosoft.
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock

The subject and body of the email generated by the worm can be in English or German.

Possible email subjects are:

Your Password
Registration Confirmation
Your email was blocked
mailing error

Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurdeverweigert
Ich bin´ s, was zum lachen ;)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung

Payload

Deletes Files
The worm may delete files on the infected system with names matching the following criteria:

a*.exe
luc*.exe
ls*.exe
luu*.exe