WORM_SOBER.AX - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SOBER.AX

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Sober.aa (Kaspersky), W32/Sober.gen@MM (McAfee), W32.Sober.AA@mm (Symantec), Worm/Sober.AB (Avira), W32/Sober-AD (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Infection Channel 1 : Propagates via email

Description:

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_SOBER.AX Behavior Diagram

Malware Overview

This worm propagates via email. It sends a copy of itself as an attachment to email messages, which it sends using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine allows this worm to send copies of itself without using any email application, such as MS Outlook. It attempts to connect to certain SMTP servers to send its messages.

Sample details of the email message it sends are found below:

From: Admin@aol.de

Subject:Your Updated Password!

Message body:
You notified us that you have forgotten your password.
We have changed your password to a random sequence of letters and digits!
For more detailed information, see the attached password file ...

***** Web: http://www.{target domain}
***** E-Mail: {target email address}

Attachment: Passw_Data.zip

(Note: Target domain is the domain name of the target email address that this worm gathers.)

The email message it sends may either be in German or English. It gathers target addresses from files using certain extension names. It avoids sending its messages to addresses that contain certain strings, usually related to antivirus and security companies. The said action allows this worm to avoid early detection and consequent removal.

It drops copies of itself using file names of legitimate Windows files. It does the said routine to trick users into thinking that legitimate files are running on the system.

On Windows XP with Service Pack 2, it modifies the legitimate file TCPIP.SYS, which is related to the system's network connection. The said action slows down system performance.

It also displays fake message boxes, terminate antivrus-related processes, and connect to certain Web sites to download possibly malicious files.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 1, 2007 11:37:04 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.