WORM_SOBER.AG - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SOBER.AG

Also known as: CME-681

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Sober.y (Kaspersky), W32/Sober@MM!M681 (McAfee), W32/Sober-Z (Sophos), Worm:Win32/Sober.S@mm (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Infection Channel 1 : Propagates via email

Description:

As of November 21, 2005 2:20 pm (Pacific Standard Time, GMT -8:00) TrendLabs has declared a Medium risk alert in order to control this new SOBER variant that is currently spreading in the United States, Canada, Brazil, New Zealand, Belgium, and Germany.

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_SOBER.AG Behavior Diagram

Malware Overview

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, affected users are often unaware that this worm is sending out email messages from their machines.

The email messages it sends out may be written in English or in German. Below is a sample of the email message it sends:

WORM_SOBER.AG sample email message

Like other mass-mailers, this worm utilizes social engineering techniques, such as promises of celebrity pictures or alerts regarding alleged illicit behavior, in order to entice users into opening the attached worm copy on the email messages it sends. Specifically, some versions of this worm email spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), notifying the user that the agency has found evidence of the user supposedly visiting illegal Web sites. Similarly, one of the German email messages spoofs Bundeskriminalamt, and threatens legal action against the user's alleged downloads of films, software, and MP3 files.

This worm also displays the following fake error message in order to trick a user into thinking that the file did not properly execute:

WinZip Self-Extractor

Error in packed Header

It also displays the following message boxes:

Antivirus

No Viruses, Trojans or Spyware found!

Status: OK

LiveUpdate {Symantec}

No Connection!

This worm is also capable of terminating processes that contain certain strings. Moreover, it searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.

This worm has a download routine which runs after January 5, 2006. It connects to certain URLs, which are generated by the malware code and are dependent on the current date.

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 21, 2005 11:54:48 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.