W32/Sober-J

Aliases	Email-Worm.Win32.Sober.j Reblin
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	31 January 2005 10:04:22 (GMT)
Last updated	7 February 2005 19:55:49 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random name> =
<random filename>

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Sober-J is a variant of the W32/Sober mass mailing worms family for the Windows platform that harvests email addresses from the infected computer's hard drive.

W32/Sober-J checks the country origin by the comparing the domain extension with those within a pre-defined list and will send its mail in either English or German depending on the domain. W32/Sober-J is a variant of the W32/Sober mass mailing worms family for the Windows platform that harvests email addresses from files with the following extensions:

ABC
ABD
ABX
ADB
ADE
ADP
ADR
ASP
BAK
BAS
CFG
CGI
CLS
CMS
CSV
CTL
DBX
DHTM
DOC
DSP
DSW
EML
FDB
FRM
HLP
IMB
IMH
IMH
IMM
INBOX
INI
JSP
LDB
LDIF
LOG
MBX
MDA
MDB
MDE
MDW
MDX
MHT
MMF
MSG
NAB
NCH
NFO
NSF
NWS
ODS
OFT
PHP
PL
PMR
PP
PPT
PST
RTF
SHTML
SLK
SLN
STM
TBB
TXT
UIN
VAP
VBS
VCF
WAB
WSH
XHTML
XLS
XML

W32/Sober-J creates the following files in the Windows system folder. Some of these files are used for storing harvested information and others are encrypted and/or packed worm copies:

datamx.dam
dgsfzipp.gmx <text-ascii>
mail_text-info.
nonrunso.ber
Odin-Anon.Ger
read.me
sysmms32.lla

where text-ascii files contain base64 coded encrypted ZIP packed worm copies.

W32/Sober-J copies itself to the Windows system folder as an EXE file with a name that is constructed from the following strings:

32
crypt
data
diag
dir
disc
expoler
host
log
run
service
smss32
spool
sys
win

In order to be able to run automatically when Windows starts up W32/Sober-J sets the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random name> =
<random filename>

where random name is a string constructed from the list above (each registry entry may have a different random name) and a random filename corresponds to the worm copy filename.

W32/Sober-J checks the country origin by the comparing the domain extension with ones from the folowing list:

.de, .ch, .at, .com, .gmx

In cases where the domain extension matches a German variant the email language
will be German, otherwise it will be English based.

W32/Sober-J may arrive in an email with the following characteristics:

If spread in German:

Subject line:

Ey du DOOF Nase, warum beantw...

Message body:

Warum beantwortest Du meine E-Mails nicht?

Kommen meine Mails nicht mehr bei dir an oder so???

Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!
Ich hoffe mal, das sie jetzt zu dir durch dringen wird.

In meinen anderen Mails habe ich einige Wichtige Dinge niedergeschrieben,
hatte aber keine Lust alles nochmal zu schreiben.

Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit Winzip
kleiner gemacht.
Lesen und diesmal auch bescheid geben!!!!

tschau.....

Attachment name:

texte.zip

If spread in English:

Subject line:

I've got YOUR email on my account!!

Message body:

Hello,
First, Sorry for my very bad English!

Someone send your private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text is a name
& adress. I think it's your name and adress.

In the last 8 days i've got 7 mails in my mail-box, but the recipient are
you, not me. lol

OK, I've copied all email text in the Windows Text-Editor and i've zipped
the text file with WinZip.
The sender of this mails is in the text file, too.

bye

Attachment name:

text.zip

The attached file may have an extension chosen from the following:

ZIP, PIF, SCR, BAT, COM or EXE.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sober-J

Summary

Action

More Information