W32/Sober.P@mm
Analysis
This variant of Sober packed with a file size of 53,554 bytes. This virus targets email recipients by harvesting addresses from an infected system and sends emails with a viral attachment. The attachment could have a .PIF or .ZIP extension. This Sober differs from others with the inclusion of a file deletion payload.
Fake Error Dialogue Box
The virus makes an attempt to gain credibility by displaying
what may look like a genuine error dialogue box, after
running the virus -
In the background, the virus is installing itself in preparation for mass-mail distribution.
Loading at Windows startup
If this virus is run on a system, it will create a folder
in the "undefinedWindowsundefined\Connection
Wizard\" folder named "status".
Next it will copy files to that folder -
[copy of virus - 53,554 bytes]
C:\WINNT\Connection Wizard\Status\csrss.exe
C:\WINNT\Connection Wizard\Status\services.exe
C:\WINNT\Connection Wizard\Status\smss.exe
[Base64 copy of ZIP, contains virus - 73,526 bytes]
C:\WINNT\Connection Wizard\Status\packed1.sbr
C:\WINNT\Connection Wizard\Status\packed2.sbr
C:\WINNT\Connection Wizard\Status\packed3.sbr
The virus registers itself to load at Windows startup using this registry key -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"_WinStart" = C:\WINNT\Connection Wizard\Status\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" WinStart" = C:\WINNT\Connection Wizard\Status\services.exe
Email Structure
The subject and body of the email varies, and is either
in English or German, depending on the suffix of the
target email address. For instance, email addresses
that have these strings -
.at
.li
gmx.
may receive an email with German text. All other email addresses will receive English text. The header of the email message created is modified with these properties -
From: [spoofed]
To: [any address found]
Importance: Normal
X-Mailer: AnonMail_Version
Below are some examples of subject lines used by the virus -
Ihr Passwort
Mail-Fehler!
Ihre E-Mail wurde verweigert
Ich bin's, was zum lachen ;)
Glueckwunsch: Ihr WM Ticket
WM Ticket Verlosung
WM-Ticket-Auslosung
Your Password
Registration Confirmation
Your email was blocked
mailing error
Below are some of the file attachments used by the virus -
undefinedtextundefinedFifa_Info-Text.zip
undefinedtextundefinedokTicket-info.zip
undefinedtextundefined_PassWort-Info.zip
undefinedtextundefinedautoemail-text.zip
undefinedtextundefinedLOL.zip
undefinedtextundefinedmail_info.zip
undefinedtextundefinedour_secret.zip
undefinedtextundefinederror-mail_info.zip
where undefinedtextundefined could be a prefix such as "error-"
This is an example of an email created by the virus -
Subject: FwD: Your email was blocked
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: NormalContent-Transfer-Encoding: 7bit
This is a multi-part message in MIME format.This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
*** AntiVirus: No Virus found
*** "YAHOO" Anti-Virus
*** http://www.yahoo.com
Content-Type: application/octet-stream; name=error-mail_info.zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="error-mail_info.zip"
In the above example, the virus used the target email address domain to construct the last two lines containing the reference to "yahoo".
Email harvesting
This virus will scan the hard drive by peering into
files with these extensions, and extracting email addresses
-
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
phtm
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml
The virus avoids selecting emails that may have these strings in them -
.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
clock
-dav
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
host.
iana-
iana@
icrosoft.
info@
ipt.aol
law2
linux
mailer-daemon
mozilla
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp.
ntp@
reciver@
secure
smtp-
somebody
someone
spybot
sql.
subscribe
support
t-dialin
test@
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname
File Deletion Payload
This virus carries a file deletion payload. It targets
files with these criteria -
a*.exe
luc*.exe
ls*.exe
luu*.exe
mrt.exe
asw*.tmp
In testing the virus deleted files such as these -
AUPDATE.EXE
LSETUP.EXE
LuComServer.EXE
The above named files are related to Norton Antivirus "Live Update".
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |