W32/Sober.K@mm

description-logoAnalysis

This 32-bit mass-mailer virus sends itself to email addresses harvested from the infected system. The emails created by the virus contained spoofed sender ID info, and tricky body text which could entice users into opening the attachment. Opening the attachment spawns the virus into running another cycle of sending itself to others.
Email attachments are likely to have either a .PIF or .ZIP file extension.
The virus creates new folders under the Windows folder named "msagent\win32". The virus will copy itself to this new location by three file names -
csrss.exe
winlogon.exe
smss.exe
Loading at Windows Startup
The virus will register itself to run at each Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
winsystem.sys = C:\Winnt\msagent\win32\smss.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
winsystem.sys = C:\Winnt\msagent\win32\smss.exe
Country-code Targeting Technique
This variant uses tricks from previous variants to target its multilingual emails to recipients which may speak the language used in the email. For instance, during the email harvesting routine, the virus will check the suffix of email addresses, and based on country codes which may exist in the address, the virus uses a table of language-specific subject lines and body text to create the message.
Email addresses found on the infected system that have these four suffixes - .de, .ch, .at or .li - may receive an email with one of these subject lines -

Ihr Passwort wurde geaendert
Ihr neues Passwort
EMail-Empfang fehlgeschlagen
Paris Hilton Nackt!
Paris Hilton SexVideos
Seitensprung gesucht?
Vorsicht! Neuer Sober Wurm!

All other email addresses will receive a message with English text. These are some of the subject lines used for English constructed email messages -

Your new Password
Mail_delivery_failed
Paris Hilton, pure!
Alert! New Sober Worm!

Email Address Harvesting
Before a single email message is sent from the infected system, the virus must first gather addresses by scanning files which are likely to contain them. The virus will search files that have these extensions for target addresses -
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

Security Address Avoidance
The virus will assume that email addresses having any of the strings listed below are somehow related to a security organization, or an organization which is close to a reporting mechanism which could pinpoint the virus quickly and/or alert security firms that would then publish updates to counter the virus spread -

ntp-
ntp@
ntp.
info@
test@
@www
@from.
support
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
noreply
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@example.
bellcore.
@arin
mozilla
iana@
iana-
@iana
@avp
icrosoft.
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock

Miscellaneous
The virus tracks evolutions of itself among replications by incrementing a byte field in the header of the virus file. At offset 0x00A0, the virus may insert a numeral 01 for first generation copies of itself, and for further replications may have this field incremented by 1.

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR