W32.Sober.C@mm

Printer Friendly Page

Discovered: December 20, 2003
Updated: December 22, 2003 2:36:34 PM
Systems Affected: Windows

W32.Sober.C@mm is a mass-mailing worm that uses its own SMTP engine to send itself to addresses it gathers from the compromised system.


Technical Description

W32.Sober.C@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all e-mail addresses it gathers from various locations on a compromised system. It stores the addresses it gathers in the following file:
%System%\mscolmon.ocx

Addresses are gathered from files with the following extensions:
.htt
.rtf
.doc
.xls
.ini
.mdb
.txt
.htm
.html
.wab
.pst
.fdb
.cfg
.ldb
.eml
.abc
.ldif
.nab
.adp
.mdw
.mda
.mde
.ade
.sln
.dsw
.dsp
.vap
.php
.nsf
.asp
.shtml
.shtm
.dbx
.hlp
.mht
.nfo

The worm's e-mail message uses various random subjects, attachment names, and message bodies. Possible subjects include:
Betr: Klassentreffen
Testen Sie ihren IQ
Bankverbindungs- Daten
Neuer Dialer Patch!
Ermittlungsverfahren wurde eingeleitet
Ihre IP wurde geloggt
Sie sind ein Raubkopierer
Sie tauschen illegal Dateien aus
Ich hasse dich
Ich zeige sie an!
Sie Drohen mir!!
Anime, Pokemon, Manga, Handy ...
AnmeldebestStigung
Neu! Legales Filesharing
Umfrage: Rente erst mit 80!
du wirst ausspioniert
Ein Trojaner ist auf Ihrem Rechner!
Du hast einen Trojaner drauf!
Hi, Ich bin's
ups, i've got your mail
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...

Possible attchment names include:
www.iq4you-german-test.com
www.freewantiv.com
www.free4share4you.com
www.onlinegamerspro-worm.com
www.freegames4you-gzone.com
www.anime4allfree.com
www.animepage43252.com
downloader.exe
yourmail.[rand1][rand2]
alledigis.[rand2]

[rand1] can be one of { txt., doc. }
[rand2] can be one of { bat, cmd, pif, scr, exe, com }

When the worm is executed, it creates two randomly named copies of itself in the Windows System directory.

It then creates the following registry entries so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"<random text string>"="<path and random file name>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"<random text string>"="<path and random file name>"

The worm also displays the following fake error message:
Microsoft
"<filneame>" has caused an unknown error.