PCの修理が必要ですか?
専門家に頼む
Virus:Worm/Sober.P
Date discovered:02/05/2005
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:53.554 Bytes
VDF version:6.30.00.151
Heuristic:Worm/Sober.gen

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Sober.O@mm
   •  Mcafee: W32/Sober.p@MM
   •  Kaspersky: Email-Worm.Win32.Sober.p
   •  TrendMicro: WORM_SOBER.S
   •  Sophos: W32/Sober-N
   •  Panda: W32/Sober.V.worm!CME-456
   •  Grisoft: I-Worm/Sober.P
   •  Bitdefender: Win32.Sober.O@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops files
   • Uses its own Email engine
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %WINDIR%\Connection Wizard\Status\csrss.exe
   • %WINDIR%\Connection Wizard\Status\smss.exe
   • %WINDIR%\Connection Wizard\Status\services.exe



The following files are created:

– MIME encoded copies of itself:
   • %WINDIR%\Connection Wizard\Status\packed1.sbr
   • %WINDIR%\Connection Wizard\Status\packed2.sbr
   • %WINDIR%\Connection Wizard\Status\packed3.sbr

– Files that contain collected email addresses:
   • %WINDIR%\Connection Wizard\Status\sacri1.ggg
   • %WINDIR%\Connection Wizard\Status\sacri1.ggg
   • %WINDIR%\Connection Wizard\Status\sacri1.ggg
   • %WINDIR%\Connection Wizard\Status\voner1.von
   • %WINDIR%\Connection Wizard\Status\voner2.von
   • %WINDIR%\Connection Wizard\Status\voner3.von

– A file that is for temporary use and it might be deleted afterwards:
   • %WINDIR%\Connection Wizard\Status\kjfdmcge.ano

%WINDIR%\Connection Wizard\Status\fastso.ber



It tries to download some files:

The built-in time synchronisation via the NTP protocol will trigger on the following point of time:
Date: 10/05/2005


– The locations are the following:
   • http://free.pages.at/tllqjirbsi/**********
   • http://home.arcor.de/cqxecyrdhsi/**********
   • http://home.pages.at/vvhrcihcegtecf/**********
   • http://people.freenet.de/dscpxgtcufas/**********
   • http://people.freenet.de/hiigplbjat/**********
   • http://people.freenet.de/lqmjaveww/**********
   • http://people.freenet.de/xqzzvnnaxwiu/**********
   • http://people.freenet.de/ygdgyndzzbm/**********
   • http://scifi.pages.at/riwbagyixmzg/**********
Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "_WinStart"="c:\windows\\Connection Wizard\\Status\\services.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • " WinStart"="c:\windows\\Connection Wizard\\Status\\services.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The language in which the email is sent out depends on the Top-Level-Domain.


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.


Subject:
The subject of the email is constructed out of the following:

    Sometimes it starts with one of the following:
   • FwD:

    Continued by one of the following:
   • Glueckwunsch: Ihr WM Ticket
   • Ich bin's, was zum lachen ;)
   • Ihr Passwort
   • Ihre E-Mail wurde verweigert
   • Mail-Fehler!
   • mailing error
   • Re:
   • Registration Confirmation
   • WM Ticket Verlosung
   • WM-Ticket-Auslosung
   • Your email was blocked
   • Your Password


Body:
The body of the email is one of the following:

   • Account and Password Information are attached!

   • Diese E-Mail wurde automatisch erzeugt
     Mehr Information finden Sie unter http://www.%sender's domain name and top level domain from email address%
     
     ----------
     Folgende Fehler sind aufgetreten:
     
     Fehler konnte nicht Explicit ermittelt werden
     
     End Transmission
     ----------
     
     Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.
     Wir bitten Sie, dieses zu beruecksichtigen.
     
     Auto ReMailer
      [%sender's domain name from email address%]

   • Nun sieh dir das mal an!
     Was ein Ferkel ....

   • ok ok ok,,,,, here is it

   • Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
     
     
     *-* http://www.%sender's domain name and top level domain from email address%
     *-* MailTo: PasswordHelp@%sender's domain name and top level domain from email address%

   • This is an automatically generated E-Mail Delivery Status Notification.
     
     Mail-Header, Mail-Body and Error Description are attached

   • Herzlichen Glueckwunsch,
     
     beim Run auf die begehrten Tickets für die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
     
     Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
     
     Ihr "ok2006" Team
     St. Rainer Gellhaus
     
     
     --- FIFA-Pressekontakt:
     --- Pressesprecher Jens Grittner und Gerd Graus
     --- FIFA Fussball-Weltmeisterschaft 2006
     --- Organisationskomitee Deutschland
     --- Tel. 069 / 2006 - 2600
     --- Jens.Grittner@ok2006.de
     --- Gerd.Graus@ok2006.de


Sometimes continued by the following:

   • Visit: http://www.%sender's domain name and top level domain from email address%


Sometimes continued by one of the following:

   • **** AntiVirus-System: Kein Virus erkannt
     **** "%receiver's domain name from email address% " AntiVirus Service
     **** WebSite: http://www.%receiver's domain name and top level domain from email address%

   • *** AntiVirus: No Virus found
     *** "%receiver's domain name from email address% " Anti-Virus
     *** http://www.%receiver's domain name and top level domain from email address%

   • *** Server-AntiVirus: No Virus (Clean)
     *** "%receiver's domain name from email address% " Anti-Virus
     *** http://www.%receiver's domain name and top level domain from email address%

   • *** Attachment-Scanner: Status OK
     *** "%receiver's domain name from email address% " Anti-Virus
     *** http://www.%receiver's domain name and top level domain from email address%

   • **** AntiVirus: Kein Virus gefunden
     **** "%receiver's domain name from email address% " AntiVirus Service
     **** WebSite: http://www.%receiver's domain name and top level domain from email address%

   • **** Mail-Scanner: Es wurde kein Virus festgestellt
     **** "%receiver's domain name from email address% " AntiVirus Service
     **** WebSite: http://www.%receiver's domain name and top level domain from email address%


Attachment:
The filename of the attachment is one of the following:
   • account_info.zip
   • account_info-text.zip
   • autoemail-text.zip
   • error-mail_info.zip
   • Fifa_Info-Text.zip
   • LOL.zip
   • mail_info.zip
   • okTicket-info.zip
   • our_secret.zip
   • %sender's domain name from email address%_PassWort-Info.zip

The attachment is an archive containing a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .abc; .abd; .abx; .adb; .ade; .adp; .adr; .asp; .bak; .bas; .cfg;
      .cgi; .cls; .cms; .csv; .ctl; .dbx; .dhtm; .doc; .dsp; .dsw; .eml;
      .fdb; .frm; .hlp; .imb; .imh; .imm; .inbox; .ini; .jsp; .ldb; .ldif;
      .log; .mbx; .mda; .mdb; .mde; .mdw; .mdx; .mht; .mmf; .msg; .nab;
      .nch; .nfo; .nsf; .nws; .ods; .oft; .php; .phtm; .pl; .pmr; .pp; .ppt;
      .pst; .rtf; .shtml; .slk; .sln; .stm; .tbb; .txt; .uin; .vap; .vbs;
      .vcf; .wab; .wsh; .xhtml; .xls; .xml


Address generation for FROM field:
To generate addresses it uses the following strings:
   • FIFA
   • Gewinn
   • fifa
   • WM-Ticket
   • OK2006
   • Ticket
   • Verlosung
   • Administrator

It uses the same domain list as mentioned above.

The domain is one of the following:
   • ok2006.de
   • fifa.de
To generate addresses it uses the following strings:
   • service
   • webmaster
   • register
   • hostmaster
   • postmaster
   • Admin
   • info



Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • -dav; .dial.; .kundenserver.; .ppp.; .qmail@; .sul.t-; @arin; @avp;
      @ca.; @example.; @foo.; @from.; @gmetref; @iana; @ikarus.; @kaspers;
      @messagelab; @nai.; @panda; @smtp.; @sophos; @www; abuse; announce;
      antivir; anyone; anywhere; bellcore.; bitdefender; clock; detection;
      domain.; emsisoft; ewido.; free-av; freeav; ftp.; gold-certs; google;
      host.; icrosoft.; ipt.aol; law2; linux; mailer-daemon; mozilla;
      mustermann@; nlpmail01.; noreply; nothing; ntp-; ntp.; ntp@; office;
      password; postmas; reciver@; secure; service; smtp-; somebody;
      someone; spybot; sql.; subscribe; support; t-dialin; t-ipconnect;
      test@; time; user@; variabel; verizon.; viren; virus; whatever@;
      whoever@; winrar; winzip; you@; yourname

 Miscellaneous Time synchronisation:
In order to synchronize the local time it contacts NTP servers on port 37:
   • ntp.massayonet.com.br
   • ntp.metas.ch
   • ntp.pads.ufrj.br
   • ntp1.arnes.si
   • ntp-2.ece.cmu.edu
   • ntp3.fau.de
   • ntp-sop.inria.fr
   • Rolex.PeachNet.edu
   • rolex.usg.edu
   • sundial.columbia.edu
   • time.nist.gov
   • time.xmission.com
   • time-a.timefreq.bldrdoc.gov

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

説明の挿入者 Andrei Ivanes の 2006年4月7日金曜日
説明の更新者 Andrei Ivanes の 2006年4月12日水曜日

戻る . . . .
https:// このウィンドウは暗号化されています。