My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sober.AD@mm

MEDIUM
LOW
55390 bytes packed

Symptoms

The presence of the WinSecurity directory in the %WINDIR% folder.

The presence in the %WINDIR%\WinSecurity folder of the following files :

  • services.exe  - 55390 bytes
  • smss.exe       - 55390 bytes
  • csrss.exe       - 55390 bytes

The presence in the %WINDIR%\WinSecurity folder of any other file with extension one of the following :

  • .ory
  • .ifo
  • .dli
  • .tro

for example :

  • nexttroj.tro
  • winmem1.ory, … ,winmem%n%.ory where n denotes an integer.
  • mssock1.dli, … ,mssock%n%.dli where n denotes an integer.
  • socket1.ifo, … ,socket%n%.ifo where n denotes an integer.     

Presence of the following key in the Windows Registry :

"HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN\ Windows" = C:\WINNT\WinSecurity\services.exe

Removal instructions:

  • Please let BitDefender disinfect your files.
or
  • Use the free removal tool to disinfect your computer (see the link at the top of this page). The tool detects and removes all variants of Sober worm between S and AD.

Analyzed By

BitDefender research lab.

Technical Description:

The virus comes in form of an e-mail with variable subject, body or attachement name. It’s written in Visual Basic 6.

When the virus is launched, an error box appears on the screen, looking like this:


thus leading the victim to belive that the executable contained  an error and everything it’s ok.

 

Then, the virus creates the folder WinSecurity in the %WINDIR% folder and drops the above files in it. It then executes the executable just dropped named

  • %WINDIR%\WinSecurity\services.exe

Then executes

  • %WINDIR%\WinSecurity\smss.exe

 and finally

  • %WINDIR%\WinSecurity\crss.exe

Each of these processes play a specific role :

  • crss.exe examines if the registry key
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN\ Windows = C:\WINNT\WinSecurity\services.exe

has been deleted and rewrites it if this is the case

  • services.exe starts searching the victim’s folders for files containing e-mail addresses on wich to propagate.

Files with the following extension are scanned:

stm slk inbox imb csv bak imh x

html imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin

ldb abc pst cfg mdw mbx mdx mda

adp nab fdb vap dsp ade sln dsw

mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl

rtf mmf doc ods nch xls nsf txt

wab eml hlp mht nfo .OK

pmr phtm stm slk inbox imb csv

bak imh xhtml imm imh cms nws

vcf ctl dhtm cgi pp ppt msg jsp

 oft vbs uin ldb abc pst cfg mdw

mbx mdx mda adp nab fdb vap dsp

ade sln dsw mde frm bas adr cls

ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf doc ods nch

 xls nsf txt wab eml hlp mht nfo

php asp shtml db        


It creates the registry key

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN\

Windows = C:\WINNT\WinSecurity\services.exe

in order to assure it will be run at every OS startup. If this key is deleted from the registry while the virus is running in memory, it will try to put it back, having a dedicated thread to do this job.

 
The virus tries to download a file from the Internet and run it:

  • http://home.pages.at/.../S??.exe

 

The worm implements it’s own SMTP engine for spreading via e-mail.


The possible mail subject includes one of the following :

  •  Ihr Passwort
  • Account Information
  • SMTP Mail gescheitert
  • Mailzustellung wurde unterbrochen
  • Ermittl ungsverf ahren wurde eing eleitet.
  • Sie besitzen Rau bkopien
  • RTL: Werwird Millionaer
  • Sehr ge ehrter EbayKunde
  • I’m afraid I was not able to deliver your message
  • SMTP Error
  • Your Password
  • Registration Confirmation
  • smtp mail failed
  • Mail delivery failed
  • hi  , ive a   new mail  address 
  • You visit illegal websites
  • Your IP was  logged
  • Paris Hilton & Nicole Richie

 

The possible mail content includes one of the following :

 

  • “Ihre Nut  zungsdat  en wurden erfolg  reich ge  aendert.   Details entnehm en Sie bitte dem   Anhang”
  • “This is an automatically generated Delivery Status Notification. SMTP Error []  I’m afraid I wasn’t able to deliver your message. This is a permanent error; I’ve given up.  Sorry it didn’t work out. The full mail text and header is attached”.
  • das Herunterladen von Filmen, Software und MP3s.  ist ille gal und  somit strafbar”
  •  “Bei uns wurde ein neues Benutzerkonto mit dem Namen  beantragt. Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt. Ihr Ebay-Team@Ebay.com Ebay Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen. Vielen Dank,”

 

The virus also spoofs the sender’s domain address, wich will appear to originate from one of the following domains

  • microsoft.com, bigfoot.com, yahoo.com, t-online.de, google.com, hotmail.com., mx1.mail.yahoo,  mxbw.bluewin.ch etc.

The virus then searches list of active processes for process names from the list below :

  • microsoftanti
  • gcas
  • gcip
  • giantanti
  • inetupd.
  • nod32kui
  • nod32.
  • fxsbr
  • avwin.
  • guardgui.
  • aswclnr
  • stinger
  • hijack

and tries to kill them.

 

If any removal tool is running, in order to detect the presence of Sober, the worm will close it, and display the following message, like it would be a message from the removal tool:


For Win XP operating systems, the virus also tries to patch the tcpip.sys driver to allow it to open a virtually  unlimited number of connections from the victim’s computer (since in Windows XP SP2  the number of simultaneously open connections from a host is restricted). This may result in asking the user to restart his computer in order for the patch to take effect.