|
|
I-Worm.Sober. Viruses Information
| Name: |
I-Worm.Sober. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Sober.f
This worm spreads via email as a file attached to infected messages. It also spreads via file-sharing networks. It is written in Visual Basic and packed using UPX. The packed file is approximately 40KB in size (this may vary slightly). The unpacked file is approximately 140KB in size.
Infected messages
Infected messages have a random message header and contain random text. The name of the attachment will also vary, but will have the extension .pif or .zip. An sample infected message is shown below.
Message header:
Connection failed
Message body:
I hope you accept the result!
Follow the instructions to read the message.
Please read the document
Attachment name:
your_passwords.pif
Installation
The worm is activated if the user opens the attached file. Once the worm is launched, it opens Notepad which will display the text contained in the original message.
The worm then creates a copy of itself in the Windows system directory under a random name chosen from the following list:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
This file is then registered in the system registry autorun key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
"" = "%System% %1"
The worm creates several copies of itself and its additional files in the Windows system directory under the following names:
bcegfds.lll
spoofed_recips.ocx
syst32win.dll
winsys32xx.zzp
winhex32xx.wrm
zmndpgwf.kxx
zhcarxxi.vvx
Propagation
The worm searches disks for any files with the following extensions:
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
It harvests email addresses, and sends email messages to these addresses by creating a direct connection to the SMTP server.
The worm uses one of the names below as the sender's name:
Webmaster
Fehler-Info
Administrator
RobotMailer
AutoMailer
Register
Service
Info
Passwort
Kundenservice
Liste
Schwarze-Liste
Information
Administrator
Webmaster
Home
Register
Service
Info
admin
Error_Info
RobotMailer
AutoMailer
User-info
account
webmaster
It may use the recipient's domain name, or one of the domains below:
abuse.de
yahoo.com
yahoo.de
gmx.de
gmx.net
web.de
freenet.de
lycos.de
Message header (chosen at random from the list below):
Einzelheiten
Hallo Du!
Hallo!
Hey Du
Hi, Ich bin's
Ich bin es .-)
Verdammt
Na, uberrascht?!
Info
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
Fehler in E-Mail
Bestatigung
Registrierungs-Bestatigung
Ihr neues Passwort
Ihr Passwort
Datenbank-Fehler
Warnung!
Oh my God
Hey
Hi!
Hi, it's me
hey you
damn!
Well, surprised?
Info
Information
Faulty mail delivery
Mail delivery failed
Mail Error
Illegal signs in Mail-Routing
Connection failed
Invalid mail sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Bad Gateway
Warning!
Your document
Message-ID
The message body may include text from the paragraphs listed below:
Ich war auch ein weniguberrascht!
Wer konnte so etwas ahnen!? Lese selbst
Oh-Mann
Alles klaro bei dir?
Schau mal was Ich gefunden habe!
Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
Bye
Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passworter rauszubekommen!!!
Passwoerter.txt
Details entnehmen Sie bitte dem Attachment
Nahere Informationen befinden sich im Anhang.
*** Auto Mail Delivery System ***
Ihre E-Mail konnte nicht gesendet oder empfangen werden.
Bitte uberprufen Sie nochmals diese E-Mail auf mogliche Fehlerquellen.
attach: AMD-System.txt
* End Transmission
Virenschutz
--- Web: http://
--- Mail To: User-Hilfe
Passwort und Benutzername wurde erfolgreich geandert
Ihre Benutzernamen und Passworter befinden sich im Anhang dieser E-Mail
++++ Im www erreichbar unter: http://
++++ E-Mail: KundenInfo
Wegen eines Datenbank- Fehlers konnte es moglicherweise zu einem Verlust Ihrer
personlichen Daten wie Kennworter gekommen sein.
Wenn Sie Unregelma?igkeiten festgestellt haben, melden Sie uns bitte umgehend den Datenverlust.
Vielen Dank fur Ihr Verstandnis
+++ Ein Service von
+++ http://
+++ E-Mail: Kundenservice
Internet Provider Abuse:
Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
Bitte beachten Sie folgende Liste:
I was surprised, too! :-(
Who could suspect something like that?
All OK :)
see, what i've found!
hi its me
i've found a shity virus on my pc. check your pc, too!
follow the steps in this article.
bye
I 've told you!:-) sometime I grab your passwords!
I hope you accept the result!
Follow the instructions to read the message.
Please read the document
Registration confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://
++++ Mail To: User-info
*** Auto Mail Delivery System ***
_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered._This_account_has_been_disabled_ or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission
The original message is a separate attachment.
--- Web: http://
--- Mail To: User-Hilfe
Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of
+++ http://
+++ Mail: home
The message has been attached.
Database #Error
-- Partial message is available!
-- Error: llegal signs in Mail-Routing
-- Mail Server: ESMTP VX32.9 Version Betha Alpha
Anybody use your accounts!
For further details see the attachment.
I have received your document. The corrected document is attached.
greets
Attachment name (chosen at random from the following):
Oh-Mann
Dokument
KurzText
AntiVirus-Text
Anleitung
Passwoerter.txt
Text-Inhalt
AMD-System.txt
Benutzer-Daten
Datenbank-Fehler
abuse-liste
schwarze-listen
Block-Lists
anitv_text
instructions
your_article
your_passwords
messagedoc
corrected_text-file
attach-message
-attachment
_attach
pass-message
text
Textdocument |
Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Word.ZM
I-Worm.Magold.
Macro.Word.Doggie.
ScreenMixer.107
Macro.Word.Snicker
PC_Ogre.38
Macro.Word.Fox
Ace.187
Exploit.Applet.ActiveXComponen
Ultimate.48
|
|
