Alias:I-Worm.Sober.b
Type:Worm 
Size:54,784 bytes 
Origin:unknown 
Date:12-18-2003 
Damage:Sends itself by email 
VDF Version:6.23.00.13 
Danger:Low 
Distribution:Medium 

General DescriptionWorm/Sober.B is programmed in Visual Basic 6 and has a size of 54,784 bytes. It sends itself using its own SMTP engine to all email addresses it can find on the local system.

SymptomsWhen activating the worm, a false dialog box appears informing about an error: "Header is missing".

Distribution* Sends itself by email, using its own SMTP engine.

Technical DetailsThe worm Sober.B was developed in Visual Basic 6 and packed with UPX, thus hiding the viral code. The size of the attachment in a Worm/Sober.B email can be different. The worm chooses random characters for the end of the file and so the size of the files can vary between 54 and 60 kbytes.

When the attachment is open, a window appears with the message "Header is missing". In background, the worm Sober.B copies itself on:
* C:\Windows\%System%\%random filename1%.exe (54.784 Bytes)
* C:\Windows\%System%\%random filename2%.exe (54.784 Bytes)
* C:\Windows\%System%\spooler.exe (54.784 Bytes)
* C:\Windows\%System%\mscolmon.ocx

The file "mscolmon.ocx" contains the email addresses found by the malware. Using its own STMP engine the worm Sober.B sends itself to these addresses. It looks for them on the local workstation in the files with the following extensions:
* .htt
* .rtf
* .doc
* .xls
* .ini
* .mdb
* .txt
* .htm
* .html
* .wab
* .pst
* .fdb
* .cfg
* .ldb
* .eml
* .abc
* .ldif
* .nab
* .adp
* .mdw
* .mda
* .mde
* .ade
* .sln
* .dsw
* .dsp
* .vap
* .php
* .asp
* .shtml
* .shtm

Worm/Sober.B infects the files in "My Shared Folder" and so it can spread using filesharing programs (P2P) as Kazaa or Emule.

The worm starts in two instances, so it is running in two places simultaneously in the system. If one of the processes is terminated, the other will establish its absence. The file spooler.exe, inserted by the worm, will restart the deactivated process. The names of the both processes are randomly generated and are not identical to the viral .EXE files. The user has no chance of terminating the both processes at the same time, using Task Manager.

If one attempts to remove the Auto Start entry of the active worm, it immediately writes itself back into the registry. This behavior is obtained with a Visual Basic Timer Object, which periodically checks the registry for this Autorun entry.

The worm enters the following register keys, which can have random names:
* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"

The subject of the email the worm Sober.B sends has one of the following lines:
* George W. Bush wants a new war
* George W. Bush plans new wars
* Have you been hacked?
* You Got Hacked
* Hihi, ich war auf deinem Computer
* Der Kannibale von Rotenburg
* Du bist Ge-Hackt worden
* Ich habe Sie Ge-hackt

The name of the attachment will be randomly chosen from the following list:
* allfiles.cmd
* Files-Text.pif
* FilesList.pif
* Server.com
* yourlist.pif
* www.gwbush-new-wars.com
* www.hcket-user-pcs.com

The mail sent by the worm Sober.B can look like this:

Subject:
Re: George W.Bush plans new wars

Body:
Bush plans new wars again China, Cuba and Iran.
Please visit our website and vote against this very crazy war(s).
More information:

Attachment:
www.gwbush-new-wars.com

or

Subject:
Ich habe Sie Ge-hackt

Body:
Du fragst dich sicherlich, was ich alles von Dir habe,
siehe selbst

Attachment:
Files-Text.pif

or

Subject:
Fwd: Der Kannibale von Rotenburg

Body:
Entschuldigen Sie bitte diese überaus deutliche Betreffzeile!
Aber ein neuer Dialer macht mit dieser Überschrift unzählige User zu
Opfern.
Die User werden mit dem versprechen gelockt, sich das äusserts abscheuliche Tat-
Video anzuschauen zu dürfen. Stattdessen aber, installiert sich ein sehr teurer Dialer
und ein Virus
auf dem PC.
Da aber unzählige User auf diese Finte hereinfallen, haben wir mit
Zustimmung des Bundeskriminalamtes BKA, eine Web-Seite erstellt, wo einige dieser
äusserts brisanten Fotos und Videos einzusehen sind, um den Leuten die Neugier zu
nehmen.
Natürlich sind diese Videos und Fotos leicht zensiert worden.
Um auf diesen Web-Server zu gelangen, müssen Sie zuerst bestätigen, dass
Sie das 18 Lebensjahr bereits vollendet haben.
Wir bitten sie ausdrücklichst, keine Kinder diese Seite einsehen zu
lassen.
I.A.: Dieter BXXXXn
----- MultiMedia AG München ia. BKA (ORG. Rund-Mail V6.02)
----- Geschäftsführer: Michael LXXXXXXxn (xxxxxxx) FAX: xxxxxx

Attachment:
Server.com

or

Subject:
You Got Hacked

Body:
by me, idiot!
haha, very nice files on your system.
i've made a website. i show your files on this website hahaha
visit:

Attachment:
www.hcket-user-pcs.com

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* C:\%WinDir%\System32\<%var. Filename1%>.exe (54.784 Bytes)
* C:\%WinDir%\System32\<%var. Filename2%>.exe (54.784 Bytes)
* C:\%WinDir%\System32\spooler.exe (54.784 Bytes)
* C:\%WinDir%\System32\mscolmon.ocx

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* C:\%WinDir%\System\<%var. filename1%>.exe (54.784 Bytes)
* C:\%WinDir%\System\<%var. filename2%>.exe (54.784 Bytes)
* C:\%WinDir%\System\spooler.exe (54.784 Bytes)
* C:\%WinDir%\System\mscolmon.ocx

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"%Name%"="C:\\WINNT\\System32\\%random filename%.exe"

Restart your computer.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .