Description complète

Nume:	Worm/Sober.Y
Numar CME:	681
Descoperit pe data de:	15/11/2005
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Ridicat
Potential de raspandire:	Mediu
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	55.390 Bytes
MD5:	cb73f0c6d0a20e191c21cc47dff1e471
Versiune VDF:	6.32.00.180
Euristica:	Worm/Sober.Gen

General Metoda de raspandire:
   • Email

Alias:
   • Mcafee: W32/Sober
   • Kaspersky: Email-Worm.Win32.Sober.y
   • Sophos: W32/Sober-Z
   • Grisoft: I-Worm/Sober.CF
   • VirusBuster: iworm I-Worm.Sober.AI
   • Bitdefender: Win32.Sober.AD@mm

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Utilizeaza propriul motor de email
   • Modificari in registri

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\WinSecurity\services.exe
   • %WINDIR%\WinSecurity\smss.exe
   • %WINDIR%\WinSecurity\csrss.exe

Sunt create fisierele:

– Fisiere inofensive:
   • %WINDIR%\WinSecurity\starter.run
   • %WINDIR%\WinSecurity\nexttroj.tro

– Copii codificate MIME:
   • %WINDIR%\WinSecurity\socket1.ifo
   • %WINDIR%\WinSecurity\socket2.ifo
   • %WINDIR%\WinSecurity\socket3.ifo

– Fisiere care contin adrese de email:
   • %WINDIR%\WinSecurity\mssock1.dli
   • %WINDIR%\WinSecurity\mssock2.dli
   • %WINDIR%\WinSecurity\mssock3.dli
   • %WINDIR%\WinSecurity\winmem1.ory
   • %WINDIR%\WinSecurity\winmem2.ory
   • %WINDIR%\WinSecurity\ winmem3.ory

– Fisiere pentru a dezactiva o versiune precedenta a lui:
   • %SYSDIR%\bbvmwxxf.hml
   • %SYSDIR%\langeinf.lin
   • %SYSDIR%\nonrunso.ber
   • %SYSDIR%\rubezahl.rub
   • %SYSDIR%\filesms.fms
   • %SYSDIR%\runstop.rst

Incearca sa descarce un fisier:

Sincronizarea integrata prin protocolul NTP va fi activata in urmatorul moment:
Data: 06/01/2006
Ora: 00:00 UTC (Universal Time Coordinated)

Lista cu URL-uri se schimba conform intervalului: 14 zile

– Adresele sunt urmatoarele:
   • free.pages.at/emcndvwoemn/**********
   • home.arcor.de/dixqshv/**********
   • home.arcor.de/jmqnqgijmng/**********
   • home.arcor.de/nhirmvtg/**********
   • home.arcor.de/ocllceclbhs/**********
   • home.arcor.de/srvziadzvzr/**********
   • home.pages.at/npgwtjgxwthx/**********
   • people.freenet.de/fseqepagqfphv/**********
   • people.freenet.de/mclvompycem/**********
   • people.freenet.de/qisezhin/**********
   • people.freenet.de/smtmeihf/**********
   • people.freenet.de/urfiqileuq/**********
   • people.freenet.de/wjpropqmlpohj/**********
   • people.freenet.de/zmnjgmomgbdz/**********
   • scifi.pages.at/zzzvmkituktgr/**********
La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Windows"="%WINDIR%\WinSecurity\services.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "_Windows"="%WINDIR%\WinSecurity\services.exe"

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

Mecanism de activare:
Rutina de transmitere a mesajelor porneste pe baza orei obtinute prin protocol NTP.
– Data: 21/11/2005
– Ora: 7 PM (GMT)

De la:
Adresa este falsificata.
Adrese generate. Va rugam nu presupuneti ca a fost intentia expeditorului sa va trimita acest email. Este posibil ca el sa nu stie ca este infectat sau chiar sa nu aiba sistemul infectat. In plus, este posibil sa primiti email-uri returnate care sa va indice ca sunteti infectat, lucru care poate fi de asemenea fals.

Catre:
– Adrese de email gasite pe sistem.
– Adrese de email obtinute din WAB (Windows Address Book)
– Adrese generate

Subiect:
Unul din urmatoarele:
   • Account Information; Account_Information; Ermittlungsverfahren wurde
      eingeleitet; Ermittlungsverfahren_wurde_eingeleitet; hi, ive a new
      mail address; hi,_ive_a_new_mail_address; Ihr Passwort; Ihr_Passwort;
      Mail delivery failed; Mail_delivery_failed; Mailzustellung wurde
      unterbrochen; Mailzustellung_wurde_unterbrochen; Paris Hilton & Nicole
      Richie; Paris_Hilton_&_Nicole_Richie; Registration Confirmation;
      Registration_Confirmation; RTL: Wer wird Millionaer;
      RTL:_Wer_wird_Millionaer; Sehr geehrter Ebay-Kunde;
      Sehr_geehrter_Ebay-Kunde; Sie besitzen Raubkopien;
      Sie_besitzen_Raubkopien; smtp mail failed; SMTP Mail gescheitert;
      smtp_mail_failed; SMTP_Mail_gescheitert; You visit illegal websites;
      You_visit_illegal_websites; Your IP was logged; Your Password;
      Your_IP_was_logged; Your_Password

Corpul email-ului:
Corpul email-ului este unul din textele:

   • Bei uns wurde ein neues Benutzerkonto mit dem Namen "%combinatie de caractere aleatoare%" beantragt.
     Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.
     Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.

     Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.

     Vielen Dank,

     Ihr Ebay-Team

   • Sehr geehrte Dame, sehr geehrter Herr,

     das Herunterladen von Filmen, Software und MP3s ist illegal und somit strafbar.
     Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unter der IP %adresa IP% erfasst wurde. Der Inhalt Ihres Rechner wurde als Beweismittel sichergestellt und es wird ein Ermittlungsverfahren gegen Sie eingleitet.

     Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen in den naechsten Tagen schriftlich zugestellt.
     Aktenzeichen NR.:
     %sir de 4 caractere aleatoare% (siehe Anhang)

     Hochachtungsvoll
     i.A. Juergen Stock

     --- Bundeskriminalamt BKA
     --- Referat LS 2
     --- 65173 Wiesbaden
     --- Tel.: +49 (0)611 - 55 - 12331 oder
     --- Tel.: +49 (0)611 - 55 - 0

   • Ihre Nutzungsdaten wurden erfolgreich geaendert. Details entnehmen Sie bitte dem Anhang.

     *** http://www.%domeniul expeditorului din adresa de email%
     *** E-Mail: PassAdmin@%domeniul expeditorului din adresa de email%

   • Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
     Sie sitzen demnaechst bei Guenther Jauch im Studio!
     Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

     +++ RTL interactive GmbH
     +++ Geschaeftsfuehrung: Dr. Constantin Lange
     +++ Am Coloneum 1
     +++ 50829 Koeln
     +++ Fon: +49(0) 221-780 0 oder
     +++ Fon: +49 (0) 180 5 44 66 99

   • Dear Sir/Madam,

     we have logged your IP-address on more than 30 illegal Websites.

     Important:
     Please answer our questions!
     The list of questions are attached.

     Yours faithfully,
     Steven Allison

     *** Federal Bureau of Investigation -FBI-
     *** 935 Pennsylvania Avenue, NW, Room 3220
     *** Washington, DC 20535
     *** phone: (202) 324-3000

   • hey its me, my old address dont work at time. i dont know why?!
     in the last days ive got some mails. i' think thaz your mails but im not sure!

     plz read and check ...
     cyaaaaaaa

   • The Simple Life:

     View Paris Hilton & Nicole Richie video clips , pictures & more ;)
     Download is free until Jan, 2006!

     Please use our Download manager.

   • Account and Password Information are attached!

     ***** Go to: http://www.%domeniul expeditorului din adresa de email%
     ***** Email: postman@%domeniul expeditorului din adresa de email%

   • This is an automatically generated Delivery Status Notification.

     SMTP_Error []
     I'm afraid I wasn't able to deliver your message.
     This is a permanent error; I've given up. Sorry it didn't work out.

     The full mail-text and header is attached!

   • Protected message is attached!


     ***** Go to: http://www.%domeniul expeditorului din adresa de email%
     ***** Email: postman@%domeniul expeditorului din adresa de email%

Atasament:
Numele fisierelor atasate este alcatuit dupa cum urmeaza:

– Poate incepe cu:
   • Admin
   • Akte
   • Anzeige
   • Auslosung
   • BKA
   • BKA.Bund
   • Casting
   • downloadm
   • Download
   • Ebay
   • Ebay-User_RegC
   • Ebay-User%cateva cifre aleatoare%_RegC
   • Email
   • Gewinn
   • Hostmaster
   • Kandidat
   • Info
   • Internet
   • list
   • mail
   • mailtext
   • question_list
   • Post
   • Postman
   • Postmaster
   • reg_pass
   • RTL-Admin
   • RTL
   • RTL-TV
   • Service
   • Webmaster
   • WWM
   • %combinatie de caractere aleatoare%
   • %informatiile sustrase%

Urmata uneori de una din urmatoarele:
   • _body
   • -data
   • -TextInfo
   • _text
   • _Text
   • %combinatie de caractere aleatoare%

    Extensia fisierului este una din urmatoarele:
   • zip

Atasamentul este o copie malware.

Email-ul arata astfel:

Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms;
      csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh;
      imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx;
      mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; pl; pmr; pp;
      ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf;
      wab; wsh; xhtml; xls; xml

Genereaza adrese pentru campul expeditorului:
Pentru a genera adrese foloseste urmatoarele texte:
   • Admin; Anzeige; Auslosung; BKA; BKA.Bund; Casting; Department;
      Downloads; Gewinn; Hostmaster; hostmaster; info; Info; Internet;
      Kandidat; Mail; office; Post; Postman; RTL; RTL-TV; RTL-Admin;
      Service; webmaster; WWM

Combina rezultatul cu domeniile din urmatoarea lista sau cu domeniile gasite in fisierele de pe sistem.

Domeniul este unul din urmatoarele:
   • BKA.de
   • bka.bund.de
   • cia.gov
   • fbi.gov
   • RTL.de
   • RTLWorld.de
   • Ebay.com

Genereaza adrese pentru campul destinatarului:
Pentru a genera adrese foloseste urmatoarele texte:
   • address; email; emailserv; e-user; ex-smtp; listening; MailIn_Box;
      mailingbox; mailserver; priv-mail; RAR.regsite; smntp; ThisAccount;
      x_mail-list; XFreeMail; XPost; x-Recipient; Z-Account; zfreemailer;
      Z-User

Poate combina primul text cu urmatorul:
   • %cateva cifre aleatoare%

Combina rezultatul cu domeniile din urmatoarea lista sau cu domeniile gasite in fisierele de pe sistem.

Domeniul este unul din urmatoarele:
   • security.nl; google.com; yahoo.com; heise.de; hotmail.com;
      microsoft.com; t-online.de; arcor.de; fbi.gov; cia.gov; blueWin.ch;
      msdn.microsoft.com; aol.com; ragnarokonline.com; symantec.com;
      icq.com; ibm.com; yahoo.de; hotmail.de; gmx.de; gmx.at; gmx.net;
      gmx.ch

Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • ntp-; ntp.; ntp@; test@; @www; @from.; support; smtp-; @smtp.;
      gold-certs; ftp.; .dial.; .ppp.; anyone; subscribe; announce;
      @gmetref; sql.; someone; nothing; you@; user@; reciver@; somebody;
      secure; whatever; whoever; anywhere; yourname; mustermann;
      .kundenserver.; mailer-daemon; variabel; norepl; -dav; law; .sul.t-;
      .qmail; t-ipconnect; t-dialin; ipt.aol; time; freeav; @ca.; abuse;
      winrar; domain.; host.; viren; bitdefender; spybot; detection; ewido.;
      emsisoft; linux; google; @foo.; winzip; @example.; bellcore.; @arin;
      mozilla; iana; iana-; @iana; @avp; icrosoft.; @sophos; @panda;
      @kaspers; free-av; antivir; virus; verizon.; @ikarus.; @nai.;
      @messagelab; nlpmail01.; clock; sender; youremail; home.com;
      hostmaster; postmaster

Server MX:
Se poate conecta la unul dintre serverele MX:
   • auth.smtp.kundenserver.de; cat.asw.cz; Command.com;
      eforward5.name-services.com; etrn.nextra.cz; excu-mxib-1.symantec.com;
      gold.internet-media.net; group-4.is-rvk.aves.F-Prot.com;
      gsmtp171.google.com; gsmtp57.google.com; icq-mr1.icq.com;
      in1.smtp.messagingengine.com; inbound.canada.com.criticalpath.net;
      INBOUND.HAURI.COM.NETSOLMAIL.net; lycos-com.mr.outblaze.com;
      mail.arcor.de; mail.cambridge.com; mail.DrWeb.com; mail.freeav.de;
      mail.postman.net; mail.softhome.net; mail1.Sophos.com;
      maila.microsoft.com; mailhost.ip-plus.net; mail-kr.bigfoot.com;
      mg1.w-o-r-l-d.net; mx.arcor.de; mx.freenet.de; mx.nyc.untd.com;
      mx0.gmx.de; mx0.gmx.net; mx1.F-Secure.com; mx1.icq.mail2world.com;
      mx1.mail.yahoo.com; mxbw.bluewin.ch; mx-ha01.web.de; mxiab.bluewin.ch;
      mxzhh.bluewin.ch; norman.norman.no; post.strato.de;
      redir-mail-telehouse1.gandi.net; relay.clara.net; relay.heise.de;
      relay2.ucia.gov; scanlab01.mymailwall.at; sitemail2.everyone.net;
      smtp.1und1.de; smtp.ameritech.yahoo.com; smtp.aol.com;
      smtp.compuserve.de; smtp.gmail.com; smtp.googlemail.com;
      smtp.isp.netscape.com; smtp.lycos.de; smtp.mail.ru;
      smtp.mail.yahoo.co.uk; smtp.mail.yahoo.com; smtp.sbcglobal.yahoo.com;
      smtp.web.de; smtp00.fbi.gov; smtp1.google.com; smtpauth.bluewin.ch;
      smtpauth.earthlink.net; sncwsrelay1.nai.com; tombrider.ealaddin.com;
      udcmail01.udc.TrendMicro.com

Rezolvarea adreselor internet:
Se poate conecta la serverele DNS:
   • 204.127.160.3; 70.85.116.133; 204.60.0.3; 67.18.208.130; 69.93.9.167;
      65.98.70.107; 70.85.209.148; 70.84.250.212; 213.218.170.6;
      193.174.26.133; 203.178.136.36; 128.8.74.2; 194.87.0.9; 147.28.0.39;
      194.231.195.79; 69.20.54.201; 198.87.87.38; 194.206.126.200;
      209.68.63.250; 205.166.226.38; 128.83.139.9; 131.215.254.100;
      128.9.176.32; 216.194.225.70; 128.135.5.5; 219.127.89.34;
      193.158.124.143; 129.115.102.150; 38.9.211.2; 134.94.80.2;
      130.149.2.12; 131.215.254.100; 128.194.254.2; 4.2.2.3;
      195.185.185.195; 209.68.2.46; 129.186.1.200; 198.6.1.2; 131.243.64.3;
      24.93.40.33; 195.182.96.29; 158.43.128.1; 200.74.214.246;
      204.117.214.10; 194.25.2.129; 217.237.150.225; 217.237.151.161;
      151.201.0.39; 209.253.113.2; 213.239.234.108; 62.156.146.242;
      207.69.188.186; 207.217.120.43; 129.187.10.25; 200.52.83.103;
      129.187.16.1; 212.242.88.2

Terminarea proceselor Urmatorul proces este oprit:
   • mrt.exe

Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • microsoftanti; gcas; gcip; giantanti; inetupd.; nod32kui; nod32.;
      fxsbr; avwin.; guardgui.; aswclnr; stinger; hijack; sober; brfix;
      s_t_i_n; s-t-i-n

Dupa terminarea procesului este afisata fereastra:

Alte informatii Sincronizarea ceasului:
Pentru a sincroniza ora sistemului se conecteaza pe portul 37 la serverele NTP:
   • ntps1-1.uni-erlangen.de; time.mit.edu; tick.greyware.com;
      tock.keso.fi; ntp2c.mcc.ac.uk; ntp1.theremailer.net; time.chu.nrc.ca;
      time-a.timefreq.bldrdoc.gov; time.nrc.ca; ntp.massayonet.com.br;
      ntp2b.mcc.ac.uk; ntp2.ien.it; nist1.datum.com; swisstime.ethz.ch;
      clock.psu.edu; time.ien.it; ptbtime2.ptb.de; Rolex.PeachNet.edu;
      ntp.metas.ch; ntp3.fau.de; utcnist.colorado.edu; sundial.columbia.edu;
      vega.cbk.po nan.pl; ntp0.cornell.edu; ntp-sop.inria.fr; rolex.usg.edu;
      time.xmission.com; st.ntp.carnet.hr; ntp-1.ece.cmu.edu; time.nist.gov;
      ntp.lth.se; cuckoo.nevada.edu; ntp-2.ece.cmu.edu; time.kfki.hu;
      ntp.pads.ufrj.br; time-ext.missouri.edu; ntp1.arnes.si;
      timelord.uregina.ca; gandalf.theunixman.com

Modificare de fisiere:
Pentru a creste numarul maxim de conexiuni, are capacitatea de a modifica fisierul tcpip.sys . Aceasta poate afecta fisierul si intrerupe conectarea la retea.

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• UPX

Description insérée par Oliver Auerbach le mardi 22 novembre 2005
Description mise à jour par Iulia Diaconescu le lundi 12 décembre 2005

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils