I-Worm.Sober.C, W32.Sober.C@mm, Win32.Sober.C@mm
Variable, ~72 kbytes
Worm/Sober.C sends itself to email addresses found on the infected computer using its own SMTP engine. The attachment contains files with the extensions: .exe, .pif, .bat or .com.
When activating the worm, a dialog box appears informing about a Runtime Error.
Email spreading, using its own SMTP engine and over P2P file sharing programs, like "Kazaa" or "Edonkey".
The worm Sober.C, like its precedent, was developed in Visual Basic 6.0 (German version) and packed in UPX. Later the UPX header was changed, so that the unpacking with traditional methods would be more difficult.
At the first start the worm infects all the executables in "My Shared Folder" where it generally occupies the first position. The worm performs as so called "overwriter" and causes permanent damage to these executables. The purpose of this procedure is the intentional spreading, over file sharing networks, of the data which the worm regularly places in the exchanged files. If the host file is smaller than the worm, then the file will be completely overwritten.
Worm/Sober.C makes three copies of itself in Windows system, two of them having different (random) names, like a file named "SYSHOSTX.EXE".
Then, a message box appears, with the following message: "%FILENAME% has caused an unknown error. Stop: 00000010x08"
The worm generally starts in two instances, which means it runs simultaneously twice in the system. So, if one of the processes is terminated, the other detects its absence and another procedure is initiated to substitute the finished one. Thus, the user has no chance of terminating both processes at the same time, using Task Manager.
Beyond that the worm blocks the normal read access for its files. For this, it uses the "exclusive rights" mode, so that these files could not be open in normal read rights. This is similar to the Windows procedure used for protecting paging files. If one attempts to remove the Auto Start entry of the active worm, it immediately writes itself back into the registry. This behavior is obtained with a Visual Basic Timer Object, which periodically checks the registry for this Autorun entry.
The worm enters the following two registry keys, which can have random names:
Sober uses its own SMTP engine to send itself by email.
The subject of the email is randomly chosen from the following list:
Testen Sie ihren IQ
Neuer Dialer Patch!
Ermittlungsverfahren wurde eingeleitet
Ihre IP wurde geloggt
Sie sind ein Raubkopierer
Sie tauschen illegal Dateien aus
Ich hasse dich
Ich zeige sie an!
Sie Drohen mir!!
Anime, Pokemon, Manga, Handy ...
Neu! Legales Filesharing
Umfrage: Rente erst mit 80!
du wirst ausspioniert
Ein Trojaner ist auf Ihrem Rechner!
Du hast einen Trojaner drauf!
Hi, Ich bin's
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Caution: To all gamers
Afterwards the worm chooses a random name and sends itself as attachment by email. New by the C version of the Sober worm is the use of two different file extensions, in order to hide the real executable one. This way the user can be misled by some .doc or .txt files in the standard Windows installation, for example:
The worm gathers email addresses from the following file types: htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo. It saves these addresses in its own file savesyss.dll in Windows system directory.
说明添加者： Crony Walker 打开 2004年6月15日星期二