Virus

W32/Sober.L@mm

Analysis

* Update 3-08-2005: Name changed to W32/Sober.L-mm from W32/Sober.M-mm.
This variant follows the footsteps of previous variants in style and function. This virus targets email recipients by harvesting addresses from an infected system and sends emails with a viral attachment. The attachment could have a .PIF or .ZIP extension.
The subject and body of the email varies, and is either in English or German, depending on the suffix of the target email address. For instance, email addresses that have these strings -
.de
.ch
.at
.li
gmx.
may receive an email with German text. All other email addresses will receive English text.
Loading at Windows startup
If this virus is run on a system, it will create a folder in the undefinedWindowsundefined\msagent folder named "System". Next it will copy itself to that folder as "smss.exe". It will also create a Mime encoded copy of a .ZIP file as "zipzip.zab" - the .ZIP file contains a copy of the virus. The virus registers itself to load at Windows startup using this registry key -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"_Services.dll" = C:\WINNT\msagent\system\smss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" Services.dll" = C:\WINNT\msagent\system\smss.exe

Email harvesting
This virus will scan the hard drive by peering into files with these extensions, and extracting email addresses -
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml

The virus will avoid selecting email addresses with these strings, in an effort to avoid early detection by security related companies -
.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google
host.
icrosoft.
ipt.aol
law2
linux
mailer-daemon
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
office
password
postmas
reciver@
secure
service
smtp-
somebody
someone
spybot
sql.
subscribe
support
t-dialin
test@
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services