Sober J: nuevo gusano en la red

Top Threat:W32/Sober.j@MM
Executive Summary
Name: W32/Sober.j@MM (thanks to McAfee)
Affects: Windows XP/2000/2003/NT/ME/98/95
What it does: Sober.J is a mass-mailer worm, packed with UPX, that uses its own SMTP engine to e-mail itself to addresses it harvests off the infected computer.
How to avoid it: Keep your antivirus software up to date and don’t open e-mail attachments that you don’t expect to receive.
How to remove it: The McAfee Stinger removal tool has been updated to remove this attack.
Fact File
Aliases: Win32.Sober.I [Computer Associates], Sober.I [F-Secure], I-Worm.Sober.i [Kaspersky], W32.Sober.I@mm [Symantec], W32/Sober.I@mm [Norman], W32/Sober.I.worm [Panda], W32/Sober-I [Sophos], WORM_SOBER.I [Trend]
Type of virus: Windows 32 executable
Date Discovered: 11/19/2004
Systems affected: Windows XP/2000/2003/9x/Me/NT
Systems not affected:DOS, Windows 3.x, Linux, Mac, OS/2, Unix
Propagation:spreads via email
Executable file: highly randomized file name (see below for details)
Size: 56,808 bytes
From: (forged)
Recipient: harvested from system
Subject:varies (see below)
Body:varies (see below)
Details
Sober.j has some interesting technical innovations, but for the most part is a conventional mass-mailer worm. It comes in the form of an executable file as an attachment to an unsolicited e-mail. If the user executes the attachment the system is infected.
When the user runs the attachment, it brings up a messagebox (a simple Windows dialog box) that says «WinZip_Data_Module is missing ~Error: {[random number]}».
It makes two copies of itself in the system folder using a filename it constructs from combinations of the following strings and a .exe extension:
sys
host
dir
expoler
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
For example, «dir32sys.exe» and «winservicelog.exe».
When the worm executes, both of these files are running in memory and accessing each other with exclusive read access. This is the main technical innovation of Sober.j, meant to make it more difficult to stop.
It creates a group of registry keys in order to execute itself at boot time. For example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\hostexpoler=C:\WINNT\System32\dir32sys.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\wincryptx=C:\WINNT\System32\winservicelog.exe %srun%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\disccryptx=C:\WINNT\System32\winservicelog.exe %srun%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\runsmss32=C:\WINNT\System32\dir32sys.exe
Note that the file names and data value names are randomly constructed as described above and may not correspond exactly with these examples.
The worm also creates the following files in the %windir%\system folder:
clonzips.ssc (78,090 bytes)
clsobern.isc (77,738 bytes)
cvqaikxt.apk (0 bytes)
dgssxy.yoi (0 bytes)
nonzipsr.noz (77,738 bytes)
Odin-Anon.Ger (0 bytes)
sb2run.dii (0 bytes)
sysmms32.lla (0 bytes)
winexerun.dal (1,779 bytes)
winmprot.dal (1,832 bytes)
winroot64.dal (672 bytes)
winsend32.dal (1,779 bytes)
zippedsr.piz (78,090 bytes)
The worm tries to communicate with a specific list of DNS and NTP servers in order to determine if it is connected to the Internet. When it does begin its mass-mailing routine it uses the system’s default DNS server instead of the ones in the list.
In order to harvest e-mail addresses from the system, the worm scans files on the system with the following file extensions:
pmr
stm
inbox
imb
csv
bak
ihm
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
It does not send itself out to addresses that contain the following strings:
ntp-
ntp@
office
@www
@from
support
redaktion
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
msdn.
me@
whatever@
whoever@
anywhere
yourname
mustermann
.kundenserver.
mailer-daemon
variable
password
noreply
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
postmas
service
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
ewido.
emisoft
linux
google
@foo.
winzip
@example.
bellcore.
@arin
mozilla
@iana
@avp
@msn
icrosoft
@spiegel.
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon
@ikarus
@nai.
@messagelab
nlpmail01.
clock
sender
youremail
home.com
hotmail.
t-online
hostmaster
webmaster
info
The subject line of the message may be one of the following, potentially with «FwD:» as prefix:
hi there
hey dude!
wazzup!!!
yeah dude 😛
Details
Oh God it’s
damn!
#
Registration confirmation
Confirmation
Your Password
Your mail account
Delivery failure notice
Faulty mail delivery
Mail delivery failed
Mailing Error
Illegal signs in E-Mail
Invalid mail length
Mail Delivery failure
mail delivery status
Warning!
error in dbase
DBase Error
ups, i’ve got your mail
Sorry, that’s your mail
why do you do that?
Life’s a Bitch
Smiling Like a Killer
lol,wat’nlosey?
Informationvon
FalscheMailzustellung
FehlerinIhrerE-Mail
IhreE-Mailwarfehlerhaft
ESMTPError
UngültigeVariableninihrerE-Mail
Verbindungwurdegetrennt
Mail_Fehler
IhrneuerAccount
NeueAccountDaten
Siehabennichtgezahlt
Rechnung
Hi,seivorsichtig!
Achtung!gefährlicherVirus!
Schongehört?
DieTools!
DeinZeug’s!
Hierfürdich^^
BestellungsBestätigung
Lieferungs-Bestätigung
Ok,hieristmein
Ichhabemichindichv
The body of the e-mail contains a variety of error messages, many of them in German. Click here for an example.
The file name of the attachment is a random construction of elements from many sources, including the e-mail addresses involved and the body of the message. The file extension may be .bat, .com, .pif, .scr or .zip. If the attachment is a .zip file, the worm creates a zip file with a single executable file inside. This executable has a name that is randomly-constructed like the zip itself and two extensions with a number of spaces between them. The first extension is one of the following: .txt, .doc, .word, .xls, .eml, .TXT, .DOC or .EML. The second is .bat, .com, .pif, .scr or .zip.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *