Trojan.Ascetic.A

Trojan.Ascetic.A is a trojan that uses its own SMTP engine to send politcal messages to e-mail addresses it gathers from various locations on a compromised system.

Addresses are gathered from files with the following extensions on all the fixed drives:
.pmr
.stm
.slk
.inbox
.imb
.csv
.bak
.imh
.xhtml
.imm
.imh
.cms
.nws
.vcf
.ctl
.dhtm
.cgi
.pp
.ppt
.msg
.jsp
.oft
.vbs
.uin
.ldb
.abc
.pst
.cfg
.mdw
.mbx
.mdx
.mda
.adp
.nab
.fdb
.vap
.dsp
.ade
.sln
.dsw
.mde
.frm
.bas
.adr
.cls
.ini
.ldif
.log
.mdb
.xml
.wsh
.tbb
.abx
.abd
.adb
.pl
.rtf
.mmf
.doc
.ods
.nch
.xls
.nsf
.txt
.wab
.eml
.hlp
.mht
.nfo
.php
.asp
.shtml
.dbx

The trojan skips the email addresses that contain the following substrings:
office
@www
@from.
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
mantec
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
msdn.
me@
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
icrosoft
ewido.
emsisoft
@foo.
winzip
@example.
bellcore.
@arin
mozilla
@iana
@avp
@msn
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock

The email addresses gathered by the worm are stored in the following files:
%System%\llsapwin32.dats
%System%\mswn32sock.dats

The trojan then sends an email message containing a political statement to the addresses in the above files. It does not attach its executable file to these messages.

It creates a copy of itself in the Windows System directory using a filename composed from the following strings with a .exe extension:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

It then creates the following registry entries so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random value> = %System%\<random filename>

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random value> = %System%\<random filename>.exe

<random value> is one of the following:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

The following 0 byte files are created in order to deactivate previous versions of Sober if they are running on the system:
%System%\bcegfds.lll
%System%\zhcarxxi.vvx
%System%\cvqaikxt.apk
%System%\Odin-Anon.Ger

The trojan also attempts to download a file from the following web site:
people.freenet.de

Then the file is saved as %System%\winhlpx32ll.exe and executed.

Summary