Win32.Sober.A@mm

( I-worm.Sober;Win32.HLLM.Odin;Win32/Sober.A@mm )

SYMPTOMS:

The presence of the following file:

C:\\windows\\macromed\\help\\media.dll

TECHNICAL DESCRIPTION:

The virus comes in form of an e-mail, with variable subject, body or attachement name. It\'s written in Visual Basic 6 and packed with UPX. The virus has about 64 Kilobytes in size packed and about 220 Kilobytes unpacked.

When the virus is launched in execution, a windows appears with the following format:

\"Error: File not complete!\", with only one button, \"OK\". This is an usual virus trick, fooling the user into thinking that the file was corrupted and poses no threat. The virus may also display the following trick-message: \"Error: File header is missing or not complete\". However, in our tests only the first variant seemed to be preffered by the virus.

Meanwhile, in background, the virus copies itself in the following locations:
C:\\windows\\system\\winlog32.exe
C:\\windows\\system\\systemini.exe
C:\\windows\\system\\similare.exe

Note however that the file names are just examples, it seems that the virus generates random names to copy itself in the windows directory. When run multiple times, the virus almost invariably changes the name of the exe files. It has a table of characters which it seems to use to generate the names.

Then, after the replication into the user system directory, it adds the following registry key:

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\system = \"c:\\windows\\system\\lsass.exe\"

Again, the key name is generated and is not constant. The file name is one of the files it uses to copy itself in the windows directory.

The virus uses two or three instances of itself at the same time, each checking to see if the other(s) is still running. Killing one of the instances makes the other(s) restart it, making manual killing of the processes difficult. Also, the instances periodically check to see if the registry key is present, and if it\'s not they recreate it.

The file c:\\windows\\macromed\\help\\media.dll is used to keep track of e-mail addresses on the host computer, e-mail addresses used to send infected e-mails. The virus searches the hard-disk for files that may contain e-mail addresses (.html files for example) and adds those addresses to the media.dll file.

The virus uses its own SMTP engine.

Subjects used by the virus in the e-mails:



A worm is on your computer!
Advise who I am!
Back At The Funny Farm
Be careful! New mail worm
Ein Wurm ist auf Ihrem Computer!
Hey man, long not see you
Hi darling, what are you doing now?
Hi Olle, lange niks mehr geh
Hi Schnuckel was machst du so ?
I love you (I\'m not a virus!)
Ich habe Ihre E-Mail bekommen !
Ich Liebe Dich
I\'ve become your mail!
Jetzt rate mal, wer ich bin !?
Langsam reicht es mir
Neue Sobig Variante (Lesen!!)
Neuer Virus im Umlauf!
New Sobig-Worm variation (please read)
Now, it\'s enough
Re: Contact
Re: Kontakt
Re: lol
RE: Sex
Sie haben mir einen Wurm geschickt!
Sie versenden Spam Mails (Virus?)
Sorry, Ich habe Ihre Mail bekommen
Sorry, I\'ve become your mail
Surprise
Viurs blocked every PC (Take care!)
Viurs blockiert jeden PC (Vorsicht!)
VORSICHT!!! Neuer Mail Wurm
You have sent me a virus!
You send spam mails (Worm?)

The e-mail attachements:


anti_virusdoc.pif
anti-Sob.bat
Anti-Sob.bat
anti-sob.bat
anti-trojan.exe
AntiTrojan.exe
antitrojan.exe
AntiVirusDoc.pif
antivirusdoc.pif
Bild.scr
bild.scr
check-patch.bat
Check-Patch.bat
CM-recover.com
CM-Recover.com
cm-recover.com
funny.scr
Funny.scr
Hengst.pif
hengst.pif
Liebe.com
liebe.com
little-scr.scr
love.com
Mausi.scr
mausi.scr
nacked.com
NackiDei.com
nackidei.com
nav.pif
Odin_Worm.exe
odin_worm.exe
perversion.scr
Perversionen.scr
perversionen.scr
pic.scr
playme.exe
potency.pif
Privat.exe
privat.exe
private.exe
removal-tool.exe
Removal-Tool.exe
robot_mail.scr
robot_mailer.pif
RobotMailer.com
robotmailer.com
schnitzel.exe
screen_doc.scr
Screen_Doku.scr
screen_doku.scr
security.pif


E-mail example:

Subject: Fwd: Jetzt rate mal, wer ich bin !?
Message:
>
> Habe mir extra einen falschen E-Mail Namen zugelegt um es dir nicht zu leicht zu machen!
>
> PS:
> War aber nicht meine Idee !
>
> Darauf kommst DU nie!!!
> Dafür kenne ich Dich zu gut!!
> Löse das kleine Bilderrätsel und ...
Attachement: Bild.scr

The virus appears to be created in Germany. It uses both german and english languages, but it\'s obvious that the english language is not the creator\'s first language.

Removal instructions:

Let BitDefender desinfect/delete the files found infected.

ANALYZED BY:

Daniel IonitaBitDefender Virus Researcher