Malware type: Worm

Aliases: Trojan-Dropper.Win32.VB.iw (Kaspersky), W32.Sober.Q@mm (Symantec), W32/Sober.R@dr (not disinfectable) (F-Prot), W32/Sober-P (Sophos),

In the wild: Yes

Destructive: Yes

Language: English, German

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

As of October 6, 2005, 5:52 am TrendLabs has declared a Medium risk alert in order to control this new SOBER variant that is currently spreading in USA, Japan, and Germany.

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

Malware Overview

This worm propagates via email messages. It uses its own SMTP engine to send a copy of itself as an attachment to target email addresses. This routine ensures that this worm is not dependent on any application installed on the system to perform its mailing routine. This also ensures that the mailing routine remains transparent to the user, such that affected users may not be aware that email messages are being sent from their machines.

It gathers the said addresses from files with certain extensions on an affected system. Most of the files with the said extensions are related to the Web pages visited by an affected user. This worm gathers these types of files under the assumption that visited Web pages may contain text strings that refer to email addresses.

The image below is a sample of the email messages that this worm sends out:

(Note: This worm can also send email messages in German.)

Upon execution, it displays the following error message, which may mislead affected users into thinking that the file is corrupted, and therefore does not perform malicious routines:

It terminates the originally executed file and control is passed over to a dropped copy. It then displays the following error message:

This worm performs antivirus retaliation by searching the affected system's process list for MRT.EXE. When found, it then displays the following fake message in order to trick users into thinking that no viruses or other malware have been found on the machine:

Upon display of the said message, the process MRT.EXE is terminated.

(Note: MRT.EXE is the process for the Microsoft Windows Malicious Software Removal Tool.)

This worm employs the same routine when terminating active Live Update RAS connection, which is used by an antivirus application to download virus pattern updates. When found, this worm terminates the connection and displays the following fake message:

Thank you for using LiveUpdate. All of the Symantec

products and components are currently up-to-date.

Otherwise, it displays the following message:

No Connection!

It also drops a number of files, which aid its mass-mailing routine. The said routine consumes bandwidth that can slow down an affected network's processes.

In addition, on systems running Windows XP Service Pack 2, this worm prevents the affected system from connecting to a network. The said action greatly limits the system's capabilities and further renders the said system vulnerable to this worm's malicious routines.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 5, 2005 5:00:32 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.