WORM_SOBER.L - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SOBER.L

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W32.Sober.L@mm, W32/Sober.M@mm, Win32.Sober.L, Win32/Sober.L@mm

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

As of March 7, 2005 10:12:23 AM Pacific Standard Time (GMT -08:00), TrendLabs has received several infection reports of a new SOBER variant spreading via email in Germany.

This memory-resident mass mailing worm arrives as an email attachment.

Upon execution, it drops a copy of itself as the following file:

%Windows%\msagent\system\smss.exe

(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

It also drops the following files:

%System%\nonrunso.ber - a worm log file
%System%\read.me
%System%\stopruns.zhz - a worm log file
%System%\xcvfpokd.tqa - a worm log file
%Windows%\msagent\system\emdata.mmx � holds gathered email addresses
%Windows%\msagent\system\zipzip.zab � base 64 encoded copy of the worm

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

READ.ME is normal text file that contains the following strings:

test test test

In diesem Sinne:
Odin alias Anon

This worm arrives via email with the following details:

Email 2 :

Subject: Ich habe Ihre E-Mail bekommen!

Mail body:

Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.

Gruss
Attachment: MailTexte.zip

Email 2 :

Subject: Your Password & Account number

Mail body:

i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...

Attachment: acc_text.zip

File name of attachment when extracted:

Mail_text-data.txt.pif

However, it avoids sending email to addresses with certain strings.

The worm terminates processes containing the following strings:

gcas
gcip
giantanti
hijackthis
stinger

It may display the following text file using Notepad:

This is the text file displayed by the worm.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 7, 2005 10:13:42 AM GMT -0800
Description updated: Mar. 7, 2005 11:22:57 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.