Alias:W32/Sober.J@mm, Email-Worm.Win32.Sober.j, W32/Reblin.A@mm
Type:Worm 
Size:42.247 bytes 
Origin: 
Date:01-31-2005 
Damage: 
VDF Version:6.29.00.89 
Danger:Low 
Distribution:Medium 

General DescriptionAffected platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

DistributionWorm/Sober.J has its own SMTP Engine and sends its virulent emails with english and german texts. The attachment is sent as part of a ZIP archive, in which the virulent EXE file can be found. The worm searches on the local disks for email addresses in the files with the following extensions:

pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx

The email addresses found within these files are stored in the file 'datamx.dam', which will be created by the worm. Worm/Sober.J does not send itself at those email addresses, which contain the following strings:

ntp-
ntp@
ntp.
info@
test@
office
@www
@from.
support
smtp-
@smtp.
gold-certs
ftp.
.dial.
.ppp.
anyone
subscribe
announce
@gmetref
sql.
someone
nothing
you@
user@
reciver@
somebody
secure
me@
whatever@
whoever@
anywhere
yourname
mustermann@
.kundenserver.
mailer-daemon
variabel
password
noreply
-dav
law2
.sul.t-
.qmail@
t-ipconnect
t-dialin
ipt.aol
time
postmas
service
freeav
@ca.
abuse
winrar
domain.
host.
viren
bitdefender
spybot
detection
ewido.
emsisoft
linux
google
@foo.
winzip
@example.
bellcore.
@arin
mozilla
@iana
@avp
icrosoft.
@sophos
@panda
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
nlpmail01.
clock

If the worm finds the: .de, .ch or .at suffixes in an email address, it sends the german version of the text. Otherwise, the following email text aill be sent:

-SUBJECT: I've got YOUR email on my account!!

-BODY:

Hello,

First, Sorry for my very bad English!
Someone send your private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text
is a name & adress. I think it's your name and adress.
The sender of this mails is in the text file, too.

In the last 8 days i've got 7 mails in my mail-box, but the
recipient are you, not me. lol

OK, I've copied all email text in the Windows Text-Editor and
i've zipped the text file with WinZip.

bye

-ATTACHMENT: email_text.zip / text.zip / mail_text-info.txt .pif

Technical DetailsThe Worm/Sober.J is written in Visual Basic and packed with UPX runtime packer. If the worm is executed, it copies itself in the Windows system directory with a randomly chosen filename, which is made up of the following strings listed below (for example: "Cryptwin.exe"):

sys
host
dir
expoler
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

In order to be loaded and executed automatically at the next system start by Windows, the worm creates the following entries in the Windows registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVers ion\Run]
"%random%"="%SystemDir%\%random%.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer sion\Run]
"%random%"="%SystemDir%\%random%.exe"

It also creates the following files in the Windows System directory:

\%SystemDIR%\dgssxy.yoi
\%SystemDIR%\sysmms32.lla
\%SystemDIR%\cvqaikxt.apk
\%SystemDIR%\Odin-Anon.Ger
\%SystemDIR%\nonrunso.ber
\%SystemDIR%\dgsfzipp.gmx (MIME gepacktes ZIP Archiv)
\%SystemDIR%\datamx.dam
\%SystemDIR%\read.me


In the file 'read.me' generated by the worm, the following text can de read:

Ist nur eine kleine Test-Version
In diesem Sinne:
Odin alias Anon
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .