F-Secure Virus Descriptions : Sober.G
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
Sober.G appeared in the beginning of May 2004. This worm variant
is similar to previous variants.
Update on May 27th, 2004
Certain versions of F-Secure Anti-Virus can not detect Sober.G
worm in ZIP archives. F-Secure is providing hotfixes for its
anti-virus products to solve that problem:
FSAV 5.42/5.41 Hotfix 3:
http://support.f-secure.com/enu/corporate/downloads/hotfixes/av5-hotfixes.shtml
FSAV Client Security Hotfix 10 (Anti-Virus Hotfix 5):
http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-cs-hotfixes.s...
FSAV for Samba Servers 4.60 Hotfix 2:
http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-linux-hotfixe...
FSAV Linux 4.52 Hotfix 5:
http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-linux-hotfixe...
Update on May 16th, 2004
F-Secure is increasing the level of Sober.G to Radar 2 as we are
seeing increased numbers of it during the weekend. It sends
emails in both German and English with varying content and
attachments.
Update on May 15th, 2004
We got a few reports about Sober.G spreading in the wild on May
15th, 2004. After comparing samples from the worm's messages and
the sample that we had originally received and described, we
found out that our conclusions about Sober.G being intended were
incorrect. It happened because the sample that we originally got
was taken from an infected computer's Windows System folder and
not from an e-mail message. Sober worm has a "feature" of
modifying its executable file that it drops to a hard drive. It
changes a byte at offset 0xA0 to 0x60 when its file is installed
to a system. However, the file that the worm sends out in e-mail
messages has this byte value zeroed. So the sample we originally
received did not install itself properly and it did not create
MIME-encoded files for spreading because the worm "thought" it
was already installed. Failure of the worm to install itself
properly and create files necessary for its spreading drove us to
the conclusion that the worm was intended. We are sorry for
confusion.
The worm is written in Visual Basic. The worm's file is a PE
executable of length 49661 bytes, packed with a modified version
of UPX file compressor. The worm has its own SMTP engine.
Installation to system
When the worm's file is started it shows the following
messagebox:
If a user clicks 'Yes' button, the worm creares the
converted_<filename>.txt file where <filename> is the name of the
worm's file. The worm writes random garbage to that file and
opens it with Notepad:
Then the worm installs itself to system. It copies itself to
Windows System folder with a semi-randomly generated name and EXE
extension. The following text strings are used to generate the
file name of the worm's executable:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
After that the worm creates startup keys for its file in Windows
Registry. The key names are also semi-randomly generated from the
above given list. The following keys are created:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<random>" = "%WinSysDir%\<random>.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<random>" = "%WinSysDir%\<random>.exe"
During its installation cycle the worm creates the following
files in Windows System folder:
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
These files have zero length and they are used to disable
previous variants of Sober if they are installed on an infected
computer.
Additionally the worm creates the following files:
xdatxzap.zxp
datsobex.wwr
These files are MIME-encoded copies of the worm's executable file
and a ZIP archive with the worm's file. These files will be used
for spreading of the worm in e-mail messages.
Spreading in e-mails
The worm sends e-mail messages with English and German texts and
its file attached. The attached file can be an executable or a
ZIP archive containing the worm's executable. The worm composes
several different types of messages and the content of these
messages is variable. Here's an example of a German message sent
by the worm:
Before spreading the worm scans files with certain extensions on
all hard disks to harvest e-mail addresses. Files with the
following extensions are scanned:
pmr
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
The found e-mail addresses and user names are saved in these 3
files that the worm created in Windows System folder:
winzweier.dats
wincheck32.dats
winexpoder.dats
When the worm is active in memory it blocks access to these files
as well as to its MIME-encoded files and its executable file.
The worm ignores e-mail addresses that contain any of the
following substrings:
office
@www
@from.
support
redaktion
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
msdn.
me@
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
password
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
postmas
service
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@example.
bellcore.
@arin
mozilla
@iana
@avp
@msn
icrosoft.
@spiegel.
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock
If the worm sends infected messages to domains with siffixes
'.de', '.ch', '.at', '.li' or to 'gmx.' domain, it composes
messages in German, otherwise English messages are composed.
The worm can compose English messages from the following text
string arrays:
Subject (one of the following):
hi there
hey dude!
wazzup!!!
yeah dude :P
Details
Oh God it's
damn!
#
Registration confirmation
Confirmation
Your Password
Your mail account
Delivery failure notice
Faulty mail delivery
Mail delivery failed
Mailing Error
Illegal signs in E-Mail
Invalid mail length
Mail Delivery failure
mail delivery status
Warning!
error in dbase
DBase Error
ups, i've got your mail
Sorry, that's your mail
why do you do that?
Message body (one of the following):
yo wazzup :P
well here is ur stuff! good luck!
cya!
hey man! you?ll not belive me what i?ve found on your computer!^^ ... thats funny dude!
well cya soon
nice pic u send me! here is mine!
I was surprised, too! :-(??
Who could suspect something like that? shit
hey dude!#
ive found a shity virus on my pc. yo must check your pc!
follow the steps in this article.
bye
Life's a Bitch
Smiling Like a Killer
Your password was changed successfully.
Protected message is attached.
Anybody use your accounts and (or) passwords!
For further details see the attachment.
i'm very very sorry, anybody have sent your mail to my account address.
i've read this mail ,,, sorry about that
I've got your mail, but its came on my mail address???
excuse for my bad english, but I'm a Dutchman
Attachment name (one of the following):
stuff
your_docs
private
ohyeah
photo
shock
thatshard
oh_no
article
more_infos
check_this
p_message
yourmail
idiot
painfulness
The worm can compose German messages from the following text
string arrays:
Subject (one of the following):
lol, wat'n los ey?
Information von
Falsche Mailzustellung
Fehler in Ihrer E-Mail
Ihre E-Mail war fehlerhaft
ESMTP Error
Ungultige Variablen in ihrer E-Mail
Verbindung wurde getrennt
Mail_Fehler
Ihr neuer Account
Neue Account Daten
Sie haben nicht gezahlt
Rechnung
Hi, sei vorsichtig!
Achtung! gefahrlicher Virus!
Schon gehort?
Die Tools!
Dein Zeug's!
Hier fur dich^^
Bestellungs Bestatigung
Lieferungs-Bestatigung
Ok, hier ist mein
Ich habe mich in dich verliebt!
Message body (one of the following):
Man hort und sieht nikkes mehr von Dir!
Haste D.e.i.n.e. Tage oder so?;) Ware mal sehr nett von dir,
wenn Du mal was von dir horen laaaasssssen tutest(tut tut)!
bis spaeeeter mal
Diese Information ist Passwort geschutzt.
Da Sie uns Ihre Personlichen Daten mitgeteilt haben, ist das Passwort Ihr Geburts-Datum!
Viel Spass mit unserem Angebot
Guten Tag!
Das diese E-Mail automatisch generiert wurde, darf aus
Datenschutzrechtlichen Grunden die vollstandige E-Mail nur
angehangt werden.
Ihre neuen Account Daten finden Sie im beigefugten Dokument.
Vielen Dank fur Ihr Verstandnis.
Wir bitten dies zu berucksichtigen.
Guten Tag,
Da Sie vor einiger Zeit ihren <domain>-Tarif bei uns gewechselt
haben, mussen wir darauf hinweisen, dass Ihre Zahlung noch nicht
bei uns eingegangen ist.
Leider mussen wir darauf hinweisen, das rechtliche Schritte gegen Sie eingeleitet werden konnen.
Alle Informationen bezuglich diesem Tarifes finden Sie im mitgesendetem Dokument.
Hochachtungsvoll
R. Peters
### Peters Multi- Media GmbH
### www.<domain>
Hi... ich wollte dir schnell mal mitteilen, dass sich ein
gefahrlicher Virus/Trojaner uber Internet Seiten verbreitet.
Achte auf die Infos im Anhang!!!
Ciao!
Hey alles klar? Hier sind die Tools die du haben wolltest!
Viel Spa? damit ;)
Cu!
Weitere Informationen befinden sich im Anhang dieser Mail
Da Du mir dein Foto geschickt hast, hier nun ein Bild von mir!
Ja, leider kann ich es nicht andern aber es ist so.
Wenn Du genauso fuhlst, dann schau dir bitte den Anhang an.
Wenn nicht, dann losche ungeoffnet diese Mail! Es ware mir sonst zu peinlich .....
Attachment name (one of the following):
Jokes
Kundeninfo
Benutzer-Daten
-tarif
Antitext
lese-das
Aufpassen
Tools
daten
Foto
Bild
hallo.zip
Sober's attachment name can contain a random number and can have
one of the following extensions:
.com
.bat
.pif
.scr
Also the attachment can be sent in a ZIP archive. In this case
the worm's file inside the archive will have double extension.
The first extension is selected from the following list:
.txt
.doc
.word
.xls
.eml
The attachment name can be as well "borrowed" from any file name
on an infected system.
The worm can also compose fake bounced messages.
The subject of an infected e-mail can have 'FwD:' string.
The worm fakes the sender's e-mail address. It can compose fake
sender's e-mail address from the following parts:
Info
FehlerMail
Information
Service
Hilfe
Webmaster
Hostmaster
Postmaster
User-Info
account
ErrorMail
ReMailer
automailer
Administrator
user-help
Lisa
Peter
Michael
Thomas
Elke
Susi
Nadine
Sober.G can place a fake anti-virus scanner report in the message
body trying to persuade a recipient that the message was scanned
by an on-line scanner and no infection was found.
Payload
Sober.G can download and activate an executable file from one of
the following websites:
home.arcor.de
people.freenet.de
home.pages.at
scifi.pages.at
free.pages.at
The name of the downloaded executable file is 'doerkggg.exe'.
Deactivation of the worm
The worm periodically looks for a file named 'odin-anon.ger' and
it this file is found, the worm uninstalls itself from memory.
Moreover, if this file is present in Windows System folder, the
worm does not install itself to a system.
A message from Sober's author
Sober.G worm creates a file named NoSpam.readme in Windows System
folder and writes a German text there. That text is a message
from the author of the worm to AV companies. In the message the
author denies being a spammer or a hacker and reports his age
group.
Detection of Sober.G worm is available in the following FSAV
updates:
[FSAV_Database_Version]
Version=2004-05-12_01
Technical Details:
Alexey Podrezov; May 14th, 2004;
Description Updated:
Alexey Podrezov; June 17th, 2004;
F-Secure Corporation
|
