W32/Sober.K@mm
Analysis
This 32-bit mass-mailer virus sends itself to email
addresses harvested from the infected system. The emails
created by the virus contained spoofed sender ID info,
and tricky body text which could entice users into opening
the attachment. Opening the attachment spawns the virus
into running another cycle of sending itself to others.
Email attachments are likely to have either a .PIF or
.ZIP file extension.
The virus creates new folders under the Windows folder
named "msagent\win32". The virus will copy
itself to this new location by three file names -
csrss.exe
winlogon.exe
smss.exe
Loading at Windows Startup
The virus will register itself to run at each Windows
startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
winsystem.sys = C:\Winnt\msagent\win32\smss.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
winsystem.sys = C:\Winnt\msagent\win32\smss.exe
Country-code Targeting Technique
This variant uses tricks from previous variants to target
its multilingual emails to recipients which may speak
the language used in the email. For instance, during
the email harvesting routine, the virus will check the
suffix of email addresses, and based on country codes
which may exist in the address, the virus uses a table
of language-specific subject lines and body text to
create the message.
Email addresses found on the infected system that have
these four suffixes - .de, .ch, .at
or .li - may receive an email with one of these
subject lines -
Ihr Passwort wurde geaendert
Ihr neues Passwort
EMail-Empfang fehlgeschlagen
Paris Hilton Nackt!
Paris Hilton SexVideos
Seitensprung gesucht?
Vorsicht! Neuer Sober Wurm!
All other email addresses will receive a message with
English text. These are some of the subject lines used
for English constructed email messages -
Your new Password
Mail_delivery_failed
Paris Hilton, pure!
Alert! New Sober Worm!
Email Address Harvesting
Before a single email message is sent from the infected
system, the virus must first gather addresses by scanning
files which are likely to contain them. The virus will
search files that have these extensions for target addresses
-
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
Security Address Avoidance
The virus will assume that email addresses having any
of the strings listed below are somehow related to a
security organization, or an organization which is close
to a reporting mechanism which could pinpoint the virus
quickly and/or alert security firms that would then
publish updates to counter the virus spread -
ntp-
ntp@
ntp.
info@
test@
@www
@from.
support
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
noreply
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@example.
bellcore.
@arin
mozilla
iana@
iana-
@iana
@avp
icrosoft.
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock
Miscellaneous
The virus tracks evolutions of itself among replications
by incrementing a byte field in the header of the virus
file. At offset 0x00A0, the virus may insert a numeral
01 for first generation copies of itself, and for further
replications may have this field incremented by 1.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |