Website Design in Aberdeen, Scotland.
Development,
Content Management and Web Hosting
Windows: new virus W32/Sober.p@MM (DAT 4482
May 6, 2005
McAfee has raised the threat level of W32/Sober.p@MM to medium due to increased prevalence.
We have noticed a sharp increase in spam email recently, and it may be attributable to PC's infected by this virus.
This virus is also known as W32/Sober-N (Sophos) and W32.Sober.O@MM (Symantec).
Virus Description
------------------
This mass mailing email worm pretends to have information about your email account or password in a .ZIP attachment. It sends itself to addresses harvested from the infected computer. The email message is constructed in German or English, depending on the domain of the recipients' email address. Once infected, the worm attempts to contact various TIME servers on TCP port 37.
These are the characteristics of the email (English version):
From: (spoofed, faked)
Subject line:
mailing error
Registration Confirmation
Your email was blocked
Your Password
Message text:
This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
(See attached file: <zip file name>)
Account and Password Information are attached!
Visit: <URL>
*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
Account and Password Information are attached!
Visit: <URL>
(See attached file: <zip file name>)
Account and Password Information are attached!
Visit: <URL>
*** Server-AntiVirus: No Virus (Clean)
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
ok ok ok,,,,, here is it
*** AntiVirus: No Virus found
*** "<vendor name>" Anti-Virus
*** <vendor url>
(See attached file: <zip file name>)
Attached file:
mail_info.zip
account_info.zip
our_secret.zip
The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.
The ZIP file will contain an executable file named Winzipped-Text_Data.txt<spaces>.pif.
When the ZIP file is extracted and the PIF file is manually executed, the virus may display a fake error message:
Error: CRC not complete. OK.
The worm copies itself to a newly created directory in the WINDOWS directory and creates registry run keys to load itself at system startup.
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
File Symptoms
The following files are created:
* c:\WINDOWS\Connection Wizard\Status\fastso.ber
* c:\WINDOWS\system32\adcmmmmq.hjg
* c:\WINDOWS\system32\langeinf.lin
* c:\WINDOWS\system32\nonrunso.ber
* c:\WINDOWS\system32\seppelmx.smx
* c:\WINDOWS\system32\xcvfpokd.tqa
The following files are MIME encoded versions of the worm in a ZIP file:
* c:\WINDOWS\Connection Wizard\Status\packed1.sbr
* c:\WINDOWS\Connection Wizard\Status\packed2.sbr
* c:\WINDOWS\Connection Wizard\Status\packed3.sbr
The following files contain email related data (such as domain names)
* c:\WINDOWS\Connection Wizard\Status\sacri1.ggg
* c:\WINDOWS\Connection Wizard\Status\sacri2.ggg
* c:\WINDOWS\Connection Wizard\Status\sacri3.ggg
* c:\WINDOWS\Connection Wizard\Status\voner1.von
* c:\WINDOWS\Connection Wizard\Status\voner2.von
* c:\WINDOWS\Connection Wizard\Status\voner3.von
The following files are copies of the worm:
* c:\WINDOWS\Connection Wizard\Status\csrss.exe
* c:\WINDOWS\Connection Wizard\Status\services.exe
* c:\WINDOWS\Connection Wizard\Status\smss.exe
Once the computer is infected, the antivirus scanner will not be able to detect the file (read-access to the file may be denied). If you suspect that your computer is infected, you will need to reboot into Safe Mode. Make sure your DAT is updated to 4482 and run a full scan of your hard drive. Delete files flagged as infected. Restart the computer in normal mode.
For more information:
http://vil.nai.com/vil/content/v_133409.htm (McAfee)
http://www.sophos.com/virusinfo/analyses/w32sobern.html (Sophos)
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html (Symantec)
http://www.hawaii.edu/pcalerts/ (detailed virus alerts)
http://www.hawaii.edu/technews/ (Current Status and Alerts)
Comments (0)
No comments.
