1. /
  2. Security Response/
  3. W32.Sober.K@mm

W32.Sober.K@mm

Risk Level 2: Low

Discovered:
February 20, 2005
Updated:
February 13, 2007 12:33:47 PM
Also Known As:
Sober.K [Computer Associates], Sober.K [F-Secure], Email-Worm.Win32.Sober.k [Kasp, W32/Sober.l@MM [McAfee], W32/Sober.K@mm [Norman], Sober.M [Panda Software], W32/Sober-K [Sophos], WORM_SOBER.K [Trend Micro]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Sober.K@mm is executed, it performs the following actions:
  1. Creates the following files:

    • %Windir%\msagent\win32\smss.exe
    • %Windir%\msagent\win32\winlogon.exe
    • %Windir%\msagent\win32\csrss.exe

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Adds the value:

    " winsystem.sys" = "%Windir%\msagent\win32\smss.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm is executed every time Windows starts.

  3. Adds the value:

    "_winsystem.sys" = "%Windir%\msagent\win32\smss.exe"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm is executed every time Windows starts.

  4. Creates a text file called %Temp%\1.txt, which is not malicious. The worm opens the text file in notepad and displays the following text:

    Text#674326
    -----------
    --------------------- %WinZip CodeText Modul% is missing  ------------------
    an4Msmyaoq5PwFuQLJtl075owaVGwlJd0zSDZZPF3hcYNE3TmcMDYMzb6dM0ndslxIsDWJOiTbN9
    Ta7cF8UDSF9rkk3TNIeVwxPGpGma5hgmNEnBNIMsBwLHBBsd0jRN0zBFU4LAkGbZDO5ByG/C0zTN
    ci/JPk107O3Dy0z4ABRAn6PNG+zck8uzzarNgBSbB8zKaZZNt9MD4T7Lm6vLZpCmzen7CcwVa5bN
    ILIvzUxyVzkZk6aQnFet0G7TnD210G/wJj7O2zRN03QDU7bI1NkM5jaD8gfPbwMc0zQD0iEvRlIg

    ...

    Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  5. Checks the network connection by contacting an NTP server on port 37, or by connecting to one of the following domains:

    • microsoft.com
    • bigfoot.com
    • yahoo.com
    • t-online.de
    • google.com
    • hotmail.com

  6. Creates the following files:

    • %Windir%\msagent\win32\zipedso1.ber
    • %Windir%\msagent\win32\zipedso2.ber
    • %Windir%\msagent\win32\zipedso3.ber
    • %Windir%\msagent\win32\datamx1.dat
    • %Windir%\msagent\win32\datamx2.dat
    • %Windir%\msagent\win32\datamx3.dat
    • %Windir%\msagent\win32\GoTo1.dat
    • %Windir%\msagent\win32\GoTo2.dat
    • %Windir%\msagent\win32\GoTo3.dat
    • %Windir%\msagent\win32\runnowso.ber
    • %Windir%\msagent\win32\[random letters].ano
    • %Windir%\System32\nonrunso.ber
    • %Windir%\System32\stopruns.zhz
    • %Windir%\System32\read.me

  7. Attempts to dial any available dial up connection if the computer doesn't currently have an active Internet connection.

  8. Displays the following fake error message:

    Winsock 2.0 Error
    STOP:0x10020AF {Unknown_blocking}
    Possible Reason: Your "Firewall" is blocking one or more System files
    Check the "Winsock Error Log File" on: C:\WinsockError_log.txt


  9. Creates the file C:\WinsockError_log.txt, which contains fake error logs.

  10. Gathers email addresses from files with the following extensions:

    • .abc
    • .abd
    • .abx
    • .adb
    • .ade
    • .adp
    • .adr
    • .asp
    • .bak
    • .bas
    • .cfg
    • .cgi
    • .cls
    • .cms
    • .csv
    • .ctl
    • .dbx
    • .dhtm
    • .doc
    • .dsp
    • .dsw
    • .eml
    • .fdb
    • .frm
    • .hlp
    • .imb
    • .imh
    • .imh
    • .imm
    • .inbox
    • .ini
    • .jsp
    • .ldb
    • .ldif
    • .log
    • .mbx
    • .mda
    • .mdb
    • .mde
    • .mdw
    • .mdx
    • .mht
    • .mmf
    • .msg
    • .nab
    • .nch
    • .nfo
    • .nsf
    • .nws
    • .ods
    • .oft
    • .php
    • .phtm
    • .pl
    • .pmr
    • .pp
    • .ppt
    • .pst
    • .rtf
    • .shtml
    • .slk
    • .sln
    • .stm
    • .tbb
    • .txt
    • .uin
    • .vap
    • .vbs
    • .vcf
    • .wab
    • .wsh
    • .xhtml
    • .xls
    • .xml

      The worm avoids sending itself to email addresses containing the following strings:

    • .dial.
    • .kundenserver.
    • .ppp.
    • .qmail@
    • .sul.t-
    • @arin
    • @avp
    • @ca.
    • @example.
    • @foo.
    • @from.
    • @gmetref
    • @iana
    • @ikarus.
    • @kaspers
    • @messagelab
    • @nai.
    • @panda
    • @smtp.
    • @sophos
    • @www
    • abuse
    • announce
    • antivir
    • anyone
    • anywhere
    • bellcore.
    • bitdefender
    • clock
    • detection
    • domain.
    • emsisoft
    • ewido.
    • free-av
    • freeav
    • ftp.
    • gold-certs
    • google
    • host.
    • iana-
    • iana@
    • icrosoft.
    • info@
    • ipt.aol
    • law2
    • linux
    • mailer-daemon
    • mozilla
    • mustermann@
    • nlpmail01.
    • noreply
    • nothing
    • ntp.
    • ntp-
    • ntp@
    • reciver@
    • secure
    • smtp-
    • somebody
    • someone
    • spybot
    • sql.
    • subscribe
    • support
    • t-dialin
    • t-ipconnect
    • test@
    • time
    • user@
    • variabel
    • verizon.
    • viren
    • virus
    • whatever@
    • whoever@
    • winrar
    • winzip
    • you@
    • yourname

  11. Sends a copy of itself to the email addresses gathered. The email may be in either English or German, and has the following characteristics:

    From:
    The From address is spoofed. It may be one of the following:

    • Service
    • Webmaster
    • Register
    • Hostmaster
    • Postmaster
    • service
    • webmaster
    • register
    • hostmaster
    • postmaster
    • police@FBI.gov
    • Officer@FBI.gov
    • Admin@FBI.gov
    • Web@FBI.gov
    • FBI@FBI.gov
    • police@fbi.gov
    • Officer@fbi.gov
    • Admin@fbi.gov
    • Web@fbi.gov
    • FBI@fbi.gov
    • Security@microsoft.com

      Subject:
      One of the following:

    • Ihr Passwort wurde geaendert
    • Ihr neues Passwort
    • EMail-Empfang fehlgeschlagen
    • Paris Hilton Nackt!
    • Paris Hilton SexVideos
    • Seitensprung gesucht?
    • Vorsicht! Neuer Sober Wurm!
    • Anhang Scanner: Kein Virus enthalten
    • Mail Scanner: Kein Virus gefunden
    • AntiVirus System: No Virus found
    • Your new Password
    • Mail_delivery_failed
    • Paris Hilton, pure!
    • Alert! New Sober Worm!
    • Attachment: No Virus found
    • Mail-Scanner: No Virus detected
    • AntiVirus: Found to be clean
    • You visit illegal websites

      Note: The subject will be followed by the string:

      Message-ID: <%Random_String%.com>

      Message:
      One of the following:

    • Hallo,
      wir hoffen das Ihnen die Betreffszeile unsere Mail genug sagt.
      Der Jugendschutz verbietet uns leider mehr Auskunft ueber unser Angebot zu geben.
      Informationen,,,, wie Sie sich bei uns anmelden koennen befinden sich im beigefuegten Dokument.
      Natuerlich ist die Anmeldung Kostenlos!
      Mehr als 2.5 Millionen registrierte Benutzer!!!
      Da ist fuer jeden was dabei!
      Auf Wiedersehen
    • Wichtige Information!
      Eine neue Sober-Variante verbreitet sich derzeit im Internet. Wie seine Vorgaenger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
      Es wird deshalb empfohlen, das Patch-Tool auszufuehren um sich vor diesem Wurm zu schuetzen bzw. diesen wieder zu entfernen.
      --- (c)2005 Microsoft Corporation. Alle Rechte vorbehalten
      --- Vertretungsberechtigter: Juergen Gallmann
      --- Handelsregisternummer: HRB 70438
      --- E-Mail Adresse: security@microsoft.com
    • ## Diese E-Mail wurde automatisch generiert
      ## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
      ## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde
      ---------------
      Ihr neues Passwort und weiter Informationen befinden sich im beigefuegten Dokument.
      **** Ein Service von
      ****
      http://www.
      **** Mail: Help-Line
    • Vielen Dank, dass Sie sich bei registriert haben.
      Der Betrag von,- Euro ist erfolgreich auf unserem Konto eingegangen.
      Passwort, Benutzername und weitere wichtige Informationen zu ihrem neuen Account befinden sich im angehefteten Dokument.
      Hochachtungsvoll
      Silvia Hochberger
    • - System Mail -
      Diese an ihnen gerichtete E-Mail, wurde in einem falschen Format gesendet.
      Der Betreff, Header und Text dieser Mail, wurde deshalb separat in einer Text-Datei gespeichert und gezippt.
      Vielen Dank fuer Ihr Verstaendnis[System auto- mail]
    • Guten Tag,
      mehr als 50 Videos,
      Mehr als 1000 heisse Fotos
      und mehr als 300 original Sounds von der kleinen Hilton ........ .
      Alles frei zum Download, aber nur bis zum 01 April 2005 !!!
      Weitere Details entnehmen Sie bitte dem vorliegendem Dokument.
      Vielen Dank!
      Webmaster
    • Dear Sir/Madam,
      we have logged your IP-address on more than 40 illegal Websites.
      Important: Please answer our questions!
      The list of questions are attached.
      Yours faithfully,
      M. John Stellford
      ++-++ Federal Bureau of Investigation -FBI-
      ++-++ 935 Pennsylvania Avenue, NW, Room 2130
      ++-++ Washington, DC 20535
      ++-++ (202) 324-3000
    • ATTENTION!
      Antivirus vendors are warning of a new variant of the Sober
      virus discovered today that can delete the hard disk.
      Protection:
      Download and read the zipped patch. It's very easy to install!
      Thanks for your cooperation!
      --- (c)2005 Microsoft Corporation. All rights reserved
      --- Microsoft Corporation
      --- One Microsoft Way
      --- Redmond, Washington 98052-6399
    • More than 50 HOT Hilton Videos
      More than 3000 Hilton picks
      FREE Download until April, 2005
      Make your own Download Account, its free!
      Further details are attached
      Thanks & have fun ;)
    • This is an automatically generated Delivery Status Notification.
      ESMTP Error []
      I'm afraid I wasn't able to deliver your message.
      This is a permanent error; I've given up. Sorry it didn't work out.
      The full mail-text and header is attached
    • Thanks for your registration!
      We have received your payment.
      For more detailed information, read the attached text.


      Attachment:
      One of the following with a .pif or .zip extension:

    • Patch-Formular.zip
    • Patch-Tool.zip
    • PSW-Text.zip
    • zipped-text.zip
    • zipped-mail.zip
    • Register-Info.zip
    • register_text.zip
    • header_text.zip
    • text_register.zip
    • patch_help-text.zip
    • text-indictment_cit.zip


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Asuka Yamamoto
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver