W32/Sober-N

Please follow the instructions for removing worms.

W32/Sober-N is a mass-mailing worm which sends itself to addresses harvested from the infected computer.

The email sent by W32/Sober-N depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:

Subject line:

Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurdeverweigert
Ich bin's, was zum lachen :)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung
Ich habe Ihre E-Mail bekommen!

Message text:

Herzlichen Glueckwunsch,

Passwort und Benutzer-Informationen befindensich in der beigefuegten Anlage.

Diese E-Mail wurde automatisch erzeugt

Mehr Information finden Sie unter <URL>

Folgende Fehler sind aufgetreten:

Fehler konnte nicht Explicit ermittelt werden

End Transmission

Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.

Wir bitten Sie, dieses zu beruecksichtigen.

Nun sieh dir das mal an!

--- FIFA-Pressekontakt:
beim Run auf die begehrten Tickets fnr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.

Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

Mail-Scanner: Es wurde kein Virus festgestellt,AntiVirus: Kein Virus gefunden,AntiVirus-
System: Kein Virus erkannt

Attached file:

Fifa_Info-Text.zip
okTicket-info.zip
our_secret.zip

The attached filenames may contain an optional prefix of "error-" or an optional suffix of "-Text" followed by the ZIP extension. Example: our_secret-Text.zip

Email sent to other addresses will have the following characteristics:

Subject line:

mailing error
Registration Confirmation
Your email was blocked
Your Password

Message text:

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached
(See attached file: <zip file name>)
 
 

Account and Password Information are attached!

Visit: <URL>

*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
 
 
Account and Password Information are attached!

Visit: <URL>
(See attached file: <zip file name>)
 
 
Account and Password Information are attached!

Visit: <URL>

*** Server-AntiVirus: No Virus (Clean)
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
 
 
ok ok ok,,,,, here is it

*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)

Attached file:

mail_info.zip
account_info.zip
our_secret.zip

The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.

The ZIP file will contain an executable file named Winzipped-Text_Data.txt<spaces>.pif

The From address line will be faked.

A typical email sent by the Sober-N worm.

W32/Sober-N attempts to disable anti-virus products. When it does so, the worm may display a message box containing the following text:

No Viruses, Trojans or Spyware found!
Status: OK

The Sober-N worm can display a message box.

W32/Sober-N is a mass-mailing worm which sends itself to addresses harvested from the infected computer.

W32/Sober-N will copy itself to a subfolder of the Windows folder named \Connection Wizard\Status\ with the filenames SMSS.EXE, SERVICES.EXE and CSRSS.EXE.
W32/Sober-N also creates the following data files:

<Windows folder>\Connection Wizard\Status\packed1.sbr
<Windows folder>\Connection Wizard\Status\packed2.sbr
<Windows folder>\Connection Wizard\Status\packed3.sbr
<Windows folder>\Connection Wizard\Status\sacri1.ggg
<Windows system folder>\adcmmmmq.hjg
<Windows system folder>\langeinf.lin
<Windows system folder>\nonrunso.ber
<Windows system folder>\seppelmx.smx
<Windows system folder>\xcvfpokd.tqa

W32/Sober-N harvests email addresses from files with the following strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

W32/Sober-N avoids sending email to addresses that contain any of the following strings:

ntp- ntp@ ntp. test@ office @www @from. support smtp- @smtp. gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel password noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol time postmas service freeav @ca. abuse winrar domain. host. viren bitdefender spybot detection ewido. emsisoft linux google @foo. winzip @example. bellcore. @arin mozilla @iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock

The email sent by W32/Sober-N depends on the recipient address. Emails sent to recipients whose email address is in the .de, .ch, .at, .li domains or contains the string "gmx." will receive an email as follows:

Subject line:

Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurdeverweigert
Ich bin's, was zum lachen :)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung
Ich habe Ihre E-Mail bekommen!

Message text:

Herzlichen Glueckwunsch,

Passwort und Benutzer-Informationen befindensich in der beigefuegten Anlage.

Diese E-Mail wurde automatisch erzeugt

Mehr Information finden Sie unter <URL>

Folgende Fehler sind aufgetreten:

Fehler konnte nicht Explicit ermittelt werden

End Transmission

Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.

Wir bitten Sie, dieses zu beruecksichtigen.

Nun sieh dir das mal an!

--- FIFA-Pressekontakt:
beim Run auf die begehrten Tickets fnr die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.

Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

Mail-Scanner: Es wurde kein Virus festgestellt,AntiVirus: Kein Virus gefunden,AntiVirus-
System: Kein Virus erkannt

Attached file:

Fifa_Info-Text.zip
okTicket-info.zip
our_secret.zip

The attached filenames may contain an optional prefix of "error-" or an optional suffix of "-Text" followed by the ZIP extension. Example: our_secret-Text.zip

Email sent to other addresses will have the following characteristics:

Subject line:

mailing error
Registration Confirmation
Your email was blocked
Your Password

Message text:

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached
(See attached file: <zip file name>)
 
 

Account and Password Information are attached!

Visit: <URL>

*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
 
 
Account and Password Information are attached!

Visit: <URL>
(See attached file: <zip file name>)
 
 
Account and Password Information are attached!

Visit: <URL>

*** Server-AntiVirus: No Virus (Clean)
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
 
 
ok ok ok,,,,, here is it

*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)

Attached file:

mail_info.zip
account_info.zip
our_secret.zip

The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.

The ZIP file will contain an executable file named Winzipped-Text_Data.txt<spaces>.pif

The From address line will be faked.

A typical email sent by the Sober-N worm.

W32/Sober-N attempts to disable anti-virus products, in particular terminating processes with names containing any of the following strings:

aswclnr
avwin
brfix
fixsob
gcas
gcip
giantanti
guardgui
hijack
inetupd
microsoftanti
nod32
nod32kui
sober
stinger

On terminating a process, the worm displays a message box containing the following text:

No Viruses, Trojans or Spyware found!
Status: OK

The Sober-N worm can display a message box.

W32/Sober-N also attempts to delete files relating to Symantec Live Update.