W32/Sober-I is a variant of the W32/Sober mass mailing worms family for the Windows platform.
W32/Sober-I harvests email addresses from system files, and may arrive in an email with various subject lines and message texts.
When executed, W32/Sober-I displays a fake error message with the header "WinZip Self-Extractor", followed by the message text "WinZip_Data_Module is missing ~Error:...", and at the same time creates the following files in the Windows system folder, some of which are used for storing harvested information and others which are encrypted and/or packed worm copies:
Odin-Anon.Ger
clonzips.ssc text-ascii
clsobern.isc text-ascii
cvqaikxt.apk
dgssxy.yoi
diagdatacrypt.exe win-pack-hackupx
expolerlog.exe win-pack-hackupx
nonzipsr.noz
sysmms32.lla
winroot64.dal
winsend32.dal
zippedsr.piz text-ascii
W32/Sober-I copies itself to the Windows system folder as an EXE file with a name that is constructed from the following strings:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool,service,smss32
W32/Sober-I stops emailing itself after 05 Jan 2005
W32/Sober-I is a variant of the W32/Sober mass mailing worms family for the Windows platform that harvests email addresses from files with the following extensions:
PMR STM SLK INBOX IMB CSV BAK IMH XHTML IMM IMH CMS NWS VC CTL DHTM CGI PP PPT MSG JSP OFT VBS UIN LDB ABC PST CFG MDW MBX MDX MDA ADP NAB FDB VAP DSP ADE SLN DSW MDE FRM BAS ADR CLS INI LDIF LOG MDB XML WSH TBB ABX ABD ADB PL RTF MMF DOC ODS NCH XLS NSF TXT WAB EML HLP MHT NFO PHP ASP SHTML DBX
When executed, W32/Sober-I displays a fake error message with the header "WinZip Self-Extractor", followed by the message text "WinZip_Data_Module is missing ~Error:...", and at the same time creates the following files in the Windows system folder, some of which are used for storing harvested information, and others which are encrypted and/or packed worm copies:
Odin-Anon.Ger
clonzips.ssc (text-ascii)
clsobern.isc (text-ascii)
cvqaikxt.apk
dgssxy.yoi
diagdatacrypt.exe (win-pack-hackupx)
expolerlog.exe (win-pack-hackupx)
nonzipsr.noz
sysmms32.lla
winroot64.dal
winsend32.dal
zippedsr.piz (text-ascii)
(where filenames marked 'text-ascii' contain a base64 coded encrypted ZIP packed worm copy, and 'win-pack-hackupx' are files packed with a modified UPX copy of the worm.)
W32/Sober-I copies itself to the Windows system folder as an EXE file with a name that is constructed from the following strings:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service,smss32
In order to be able to run automatically when Windows starts up, W32/Sober-I sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random name> =
<random filename>
(where <random name> is a string constructed from the list above and <random filename> corresponds to the worm copy filename.)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MSAntiVirus =
<path_to_file*gt;\<filename> %1
(where <filename> corresponds to the currently executed file.)
W32/Sober-I checks the country origin by comparing the domain extension with ones from the following list:
.de, .ch, .at, .li, .gmx
In cases where the domain extension matches a German variant, the email language will be German, otherwise it will be English based.
W32/Sober-I may arrive in an email with the following characteristics:
Subject line: constructed from:
FwD:
Re:
Oh God
Registration Confirmation
Confirmation
Your Password
Your mail password
Delivery_failure_notice
Faulty_mail delivery
Mail delivery_failed
Mail Error
illegal signs in your mail
invalid mail
Mail_Delivery_failure
mail delivery system
Key:
SMTP:
ESMTP:
Info von
Mailzustellung fehlgeschlagen
Fehler in E-Mail
Ihre E-Mail wurde verweigert
Mailer Error
Ungueltige Zeichen in Ihrer E-Mail
Mail- Verbindung wurde abgebrochen
Mailer-Fehler
Betr.-Ihr Account
Ihre neuen Account-Daten
Auftragsbestaetigung
Lieferung-Bescheid
Message Text (English): subject dependent
Message Text for Subject 'Oh God':
I was surprised, too!
Who_could_suspect_something_like_that? shityiiiii
Message Text for delivery failure subject lines:contructed from
This mail was generated automatically.
More info about --<random name>-- under: http://www.<random URL>
<random ip><random error message1>
# <random number>: <randomly chosen error message2>
The original mail is attached.
Auto_Mail.System: [<random name>]
<possible fake anti-virus message>
Possible error messages 1:
_does_not_like_recipient.
_does_not_like_sender.
Possible error messages 2:
This_account_has_been_discontinued_[#144].
mailbox_unavailable
Remote_host_said:_delivery_error
Giving_up_on_53.32.183.90.
MAILBOX NOT FOUND
Fake anti-virus message:
*-*-* Mail_Scanner: No Virus
*-*-* <random name>- Anti_Virus Service
*-*-* http://www.<random URL>
(See attached file: <random filename>.zip)
Message Text (German): chosen from
Message Text 1:constructed from:
Diese E-Mail wurde automatisch generiert.
Mehr Informationen erhalten Sie unter http://www.<random URL>
Folgende Fehler wurden aufgezeichnet:
<random ip><random error message1>
# <random number>: <randomly choosen error message2>
STOP mailer
The original mail is attached.
Auto_Mail.System: [<random name>]
<possible fake anti-virus message>
Possible error message 1:
Remote_host_said: _Requested_action_not_taken
_delivery_error
Possible error message 2:
mailbox_unavailable
Giving_up_on_
This_account_has_been_ disabled
This_account_has_been_ discontinued
Mailbox unavailable
Giving up on
... does not like
Fake anti-virus message:
Anti_Virus: Es wurde kein Virus gefunden
Anti_Virus Service
Message Text 2: constructed from
Da Sie uns Ihre Persoenlichen Daten sugesandt haben ist das Password
Ihr Geburts-Datum Viel Vergnuegen mit unserem Angebot!
*****
Im I-Net unter: http://www.<random URL>
Message Text 3: constructed from:
Aus Datenshutzrechtlichen Gruenden darf die vollstaendige E-Mail incl. Daten
nur angehaengt werden
da unsere Datenbank leider durch einen Programm Fehler zerstoert wurde,
mussten wir leider eine Aenderung bezueglich Ihrer Nutzungs-Daten vornehmen.
Ihre geanderten Account Daten befinden sich im beigefuegten Dokument.
Weitere Informationen befinden sich im Anhang dieser Mail.
The attached file may have an extension chosen from the following:
ZIP, PIF, SCR, BAT, COM.
W32/Sober-I stops emailing itself after 05 Jan 2005