FANDOM


W32.Sober.X@mm is a severe mass-mailing computer worm that lowers the security settings of the compromised computer using its own SMTP engine. The worm's messages sent to contacts are either in English and German. It was discovered November 19, 2005 and is part of the Sober family of worms.

Operations by the Sober.X worm

When executed, W32.Sober.X@mm performs the following actions:

  1. Displays a message with the following text:

Title: WinZip Self Extractor
Body: Error in packed Header

  1. Copies itself as the following files:
    • %Windir%\WinSecurity\csrss.exe
    • %Windir%\WinSecurity\services.exe
    • %Windir%\WinSecurity\smss.exe

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  1. Creates the following files, which are MIME-encoded .zip files that contain a copy of the worm:
    • %Windir%\WinSecurity\socket1.ifo
    • %Windir%\WinSecurity\socket2.ifo
    • %Windir%\WinSecurity\socket3.ifo
  2. Creates the following non-malicious files, which will be used by the worm for email harvesting and as internal flags:
    • %Windir%\WinSecurity\mssock1.dli
    • %Windir%\WinSecurity\mssock2.dli
    • %Windir%\WinSecurity\mssock3.dli
    • %Windir%\WinSecurity\winmem1.ory
    • %Windir%\WinSecurity\winmem2.ory
    • %Windir%\WinSecurity\winmem3.ory
    • %Windir%\WinSecurity\sysonce.tst
    • %Windir%\WinSecurity\starter.run
    • %Windir%\WinSecurity\nexttroj.tro
  3. Creates the following zero byte files in an attempt to stop previous versions of the W32.Sober@mm worm from running:
    • %System%\nonrunso.ber
    • %System%\langeinf.lin
    • %System%\filesms.fms
    • %System%\runstop.rst
    • %System%\rubezahl.rub
    • %System%\bbvmwxxf.hml

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  1. Attempts to end the following processes:
    • mrt.exe
    • asw*.tmp
  2. Attempts to end processes that contain any of the following strings:
    • microsoftanti
    • gcas
    • gcip
    • giantanti
    • inetupd.
    • nod32kui
    • nod32.
    • fxsbr
    • avwin.
    • guardgui.
    • aswclnr
    • stinger
    • hijack
    • sober
    • brfix
    • s_t_i_n
    • s-t-i-n
  3. Displays the following message if any of the above processes end:

Title: Antivrus
Body: No Viruses, Trojans or Spyware found! Status: OK

  1. Retrieves the value of the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\LUALL.EXE

which by default points to %ProgramFiles%\Symantec\LiveUpdate\LUALL.EXE and overwrites the target file with a copy of itself.

Note: %ProgramFiles% is a variable that refers to the Program Files folder. By default this is C:\Program Files for all Windows versions.

  1. Executes a copy of the worm each time LiveUpdate is launched , and displays one of the following message boxes, depending on the internet connectivity of the compromised computer:

Title: LiveUpdate {Symantec}
Body: Thank the user for using LiveUpdate. All of the Symantec products and components are currently up-to-date.

Title: LiveUpdate {Symantec}
Body: No Connection!

  1. Removes all the files matching the following name criteria in order to disable LiveUpdate:
    • %ProgramFiles%\Symantec\LiveUpdate\a*.exe
    • %ProgramFiles%\Symantec\LiveUpdate\luc*.exe
    • %ProgramFiles%\Symantec\LiveUpdate\ls*.exe
    • %ProgramFiles%\Symantec\LiveUpdate\luu*.exe

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  1. Sets a marker, which consists of a byte value located in the worm executable's header, every time the worm copies itself. This marker determines the functionality of each individual copy of the worm. There are five different marker values that signify different actions.
  2. Adds the value:

" Windows " = %Windir%\WinSecurity\services.exe"

to the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.

  1. Adds the value:

"_Windows " = %Windir%\WinSecurity\services.exe"

to the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.

  1. Adds the value:

"command" = ""%1" %+"

to the following registry subkey:
HKEY_CLASSES_ROOT\exefile\shell\open

  1. Ends the following service on computers running Windows XP SP2:

Name: vscsvc
Display Name: Security Center

in order to disable the Windows Security Center.

  1. Tries to patch the TCPIP.SYS driver of Windows XP SP2 machine, in the following folders:
    • %System%\drivers\TCPIP.SYS
    • %System%\dllcache\TCPIP.SYS
    • %Windir%\ServicePackFiles\i386\TCPIP.SYS

Note: The worm is able to patch different versions of the TCPIP.SYS file (build 2180,2505, 2631, 2685) by modifying the checksum of the file and changing the number of allowed half-open connections (a security fix introduced by Microsoft Security Bulleting MS05-019).This change alters the normal functioning of TCP/IP protocol and may cause Network problems.

  1. Attempts to download and execute the following file from the Internet, starting the 6th of January 2006:

[http://] home.pages.at/Gruppfelhuber/[REMOVED]/Sober.exe

The worm may also attempt to download a file from one of the following domains and save it to %Windir%\WinSecurity\attacke.exe before execution:

    • people.freenet.de
    • scifi.pages.at
    • home.pages.at
    • free.pages.at
    • home.arcor.de

The files to be downloaded will change every week. For example, the following files will be downloaded on Jan 20th, 2006:

    • [http://] people.freenet.de/[REMOVED]/zxh.exe
    • [http://] people.freenet.de[REMOVED]/nwwod.exe
    • [http://] people.freenet.de/[REMOVED]/kevdw.exe
    • [http://] people.freenet.de/[REMOVED]/buactpcw/dkgo.ayc
    • [http://] people.freenet.de/[REMOVED]/tgktr.exe
    • [http://] people.freenet.de/[REMOVED]/xcd.sax
    • [http://] people.freenet.de/[REMOVED]/atgzj.exe
    • [http://] scifi.pages.at/[REMOVED]/upsm.kkp
    • [http://] home.pages.at/[REMOVED]/vauz.ecpf
    • [http://] free.pages.at/[REMOVED]/cvmi.xxxc
    • [http://] home.arcor.de/[REMOVED]/yozz.bva
    • [http://] home.arcor.de/[REMOVED]/vvdoo.exe
    • [http://] home.arcor.de/[REMOVED]/aefgm.exe
    • [http://] home.arcor.de/[REMOVED]/ennn.exe
    • [http://] home.arcor.de/[REMOVED]/okfev.exe
    • [http://] people.freenet.de/[REMOVED]/yyu.exe
    • [http://] people.freenet.de/[REMOVED]/yazni.exe
    • [http://] people.freenet.de/[REMOVED]/eddjj.exe
    • [http://] people.freenet.de/[REMOVED]/fusg.daa
    • [http://] people.freenet.de/[REMOVED]/hithv.exe
    • [http://] people.freenet.de/[REMOVED]/ubf.glb
    • [http://] people.freenet.de/[REMOVED]/bfuwz.exe
    • [http://] scifi.pages.at/[REMOVED]/zgfv.ttp
    • [http://] home.pages.at/[REMOVED]/lgtt.ozxt
    • [http://] free.pages.at/[REMOVED]/eaix.qjee
    • [http://] home.arcor.de/[REMOVED]/yodd.vbw
    • [http://] home.arcor.de/[REMOVED]/cxjza.exe
    • [http://] home.arcor.de/[REMOVED]/lwrdc.exe
    • [http://] home.arcor.de/[REMOVED]/xwww.exe
    • [http://] home.arcor.de/[REMOVED]/vcpoj.exe
    • [http://] people.freenet.de/[REMOVED]/ryl.exe
    • [http://] people.freenet.de/[REMOVED]/mhfasfsi/rhsup.exe
    • [http://] people.freenet.de/[REMOVED]/nhhgg.exe
    • [http://] people.freenet.de/[REMOVED]/mrty.uqm
    • [http://] people.freenet.de/[REMOVED]/uwmud.exe
    • [http://] people.freenet.de/[REMOVED]/cud.ajf
    • [http://] people.freenet.de/[REMOVED]/yzzjc.exe
    • [http://] scifi.pages.at/[REMOVED]/ikzfpaoozw/jrhk.iio
    • [http://] home.pages.at/[REMOVED]/lzxz.lwlx
    • [http://] free.pages.at/[REMOVED]/wblc.ffdw
    • [http://] home.arcor.de/[REMOVED]/djuu.gyu
    • [http://] home.arcor.de/[REMOVED]/zzgff.exe
    • [http://] home.arcor.de/[REMOVED]/dxmkg.exe
    • [http://] home.arcor.de/[REMOVED]/ghhh.exe
    • [http://] home.arcor.de/[REMOVED]/tpywp.exe
  1. Attempts to use one of the following DNS servers:

4.2.2.3
24.93.40.33
38.9.211.2
62.156.146.242
65.98.70.107
67.18.208.130
69.20.54.201
69.93.9.167
70.84.250.212
70.85.116.133
70.85.209.148
128.135.5.5
128.194.254.2
128.8.74.2
128.83.139.9
128.9.176.32
129.115.102.150
129.186.1.200
129.187.10.25
129.187.16.1
130.149.2.12
131.215.254.100
131.215.254.100
131.243.64.3
134.94.80.2
147.28.0.39
151.201.0.39
158.43.128.1
193.158.124.143
193.174.26.133
194.206.126.200
194.231.195.79
194.25.2.129
194.87.0.9
195.182.96.29
195.185.185.195
198.6.1.2
198.87.87.38
200.52.83.103
200.74.214.246
203.178.136.36
204.117.214.10
204.127.160.3
204.60.0.3
205.166.226.38
207.217.120.43
207.69.188.186
209.253.113.2
209.68.2.46
209.68.63.250
212.242.88.2
213.218.170.6
213.239.234.108
216.194.225.70
217.237.150.225
217.237.151.161
219.127.89.34

  1. Checks the network connection of the compromised computer, and the current date, by connecting to one of the following NTP servers on TCP port 37:
    • Rolex.PeachNet.edu
    • clock.psu.edu
    • cuckoo.nevada.edu
    • gandalf.theunixman.com
    • nist1.datum.com
    • ntp-1.ece.cmu.edu
    • ntp-2.ece.cmu.edu
    • ntp-sop.inria.fr
    • ntp.lth.se
    • ntp.massayonet.com.br
    • ntp.metas.ch
    • ntp.pads.ufrj.br
    • ntp0.cornell.edu
    • ntp1.arnes.si
    • ntp1.theremailer.net
    • ntp2.ien.it
    • ntp2b.mcc.ac.uk
    • ntp2c.mcc.ac.uk
    • ntp3.fau.de
    • ntps1-1.uni-erlangen.de
    • ptbtime2.ptb.de
    • rolex.usg.edu
    • st.ntp.carnet.hr
    • sundial.columbia.edu
    • swisstime.ethz.ch
    • tick.greyware.com
    • time-a.timefreq.bldrdoc.gov
    • time-ext.missouri.edu
    • time.chu.nrc.ca
    • time.ien.it
    • time.kfki.hu
    • time.mit.edu
    • time.nist.gov
    • time.nrc.ca
    • time.windows.com
    • time.xmission.com
    • timelord.uregina.ca
    • tock.keso.fi
    • utcnist.colorado.edu
    • vega.cbk.poznan.pl
    • time.windows.com
  2. Gathers email addresses from files with the following extensions:
    • .abc
    • .abd
    • .abx
    • .adb
    • .ade
    • .adp
    • .adr
    • .asp
    • .bak
    • .bas
    • .cfg
    • .cgi
    • .cls
    • .cms
    • .csv
    • .ctl
    • .dbx
    • .dhtm
    • .doc
    • .dsp
    • .dsw
    • .eml
    • .fdb
    • .frm
    • .hlp
    • .imb
    • .imh
    • .imh
    • .imm
    • .inbox
    • .ini
    • .jsp
    • .ldb
    • .ldif
    • .log
    • .mbx
    • .mda
    • .mdb
    • .mde
    • .mdw
    • .mdx
    • .mht
    • .mmf
    • .msg
    • .nab
    • .nch
    • .nfo
    • .nsf
    • .nws
    • .ods
    • .oft
    • .php
    • .phtm
    • .pl
    • .pmr
    • .pp
    • .ppt
    • .pst
    • .rtf
    • .shtml
    • .slk
    • .sln
    • .stm
    • .tbb
    • .txt
    • .uin
    • .vap
    • .vbs
    • .vcf
    • .wab
    • .wsh
    • .xhtml
    • .xls
    • .xml

The worm avoids sending itself to email addresses containing the following strings:

    • -dav
    • .dial.
    • .kundenserver.
    • .ppp.
    • .qmail@
    • .sul.t-
    • @arin
    • @avp
    • @ca.
    • @example.
    • @foo.
    • @from.
    • @gmetref
    • @iana
    • @ikarus.
    • @kaspers
    • @messagelab
    • @nai.
    • @panda
    • @smtp.
    • @sophos
    • @www
    • abuse
    • announce
    • antivir
    • anyone
    • anywhere
    • bellcore.
    • bitdefender
    • clock
    • detection
    • domain.
    • emsisoft
    • ewido.
    • free-av
    • freeav
    • ftp.
    • gold-certs
    • google
    • host.
    • icrosoft.
    • ipt.aol
    • law2
    • linux
    • mailer-daemon
    • mozilla
    • mustermann@
    • nlpmail01.
    • noreply
    • nothing
    • ntp-
    • ntp.
    • ntp@
    • office
    • password
    • postmas
    • reciver@
    • secure
    • service
    • smtp-
    • somebody
    • someone
    • spybot
    • sql.
    • subscribe
    • support
    • t-dialin
    • t-ipconnect
    • test@
    • time
    • user@
    • variabel
    • verizon.
    • viren
    • virus
    • whatever@
    • whoever@
    • winrar
    • winzip
    • the user@
    • the userrname
  1. Selects an SMTP server from the following list:
    • tombrider.ealaddin.com
    • INBOUND.HAURI.COM.NETSOLMAIL.net
    • cat.asw.cz
    • Command.com
    • udcmail01.udc.TrendMicro.com
    • norman.norman.no
    • mail1.Sophos.com
    • mail.DrWeb.com
    • etrn.nextra.cz
    • mx1.F-Secure.com
    • group-4.is-rvk.aves.F-Prot.com
    • redir-mail-telehouse1.gandi.net
    • mail.freeav.de
    • scanlab01.mymailwall.at
    • sncwsrelay1.nai.com
    • excu-mxib-1.symantec.com
    • relay.heise.de
    • mx.nyc.untd.com
    • mx1.mail.yahoo.com
    • mx-ha01.web.de
    • mx0.gmx.de
    • mx0.gmx.net
    • gsmtp57.google.com
    • gsmtp171.google.com
    • maila.microsoft.com
    • smtp1.google.com
    • mail-kr.bigfoot.com
    • mxbw.bluewin.ch
    • mxiab.bluewin.ch
    • mxzhh.bluewin.ch
    • mx.arcor.de
    • lycos-com.mr.outblaze.com
    • eforward5.name-services.com
    • gold.internet-media.net
    • sitemail2.everyone.net
    • in1.smtp.messagingengine.com
    • inbound.canada.com.criticalpath.net
    • mail.cambridge.com
    • icq-mr1.icq.com
    • mx1.icq.mail2world.com
    • smtp00.fbi.gov
    • relay2.ucia.gov
    • mailhost.ip-plus.net
    • mg1.w-o-r-l-d.net
    • mail.softhome.net
    • smtp.sbcglobal.yahoo.com
    • smtpauth.bluewin.ch
    • mail.postman.net
    • smtpauth.earthlink.net
    • smtp.ameritech.yahoo.com
    • smtp.mail.ru
    • smtp.mail.yahoo.co.uk
    • smtp.compuserve.de
    • post.strato.de
    • smtp.gmail.com
    • smtp.aol.com
    • smtp.web.de
    • mail.arcor.de
    • smtp.1und1.de
    • smtp.lycos.de
    • smtp.googlemail.com
    • mx.freenet.de
    • smtp.mail.yahoo.com
    • auth.smtp.kundenserver.de
    • smtp.isp.netscape.com
    • relay.clara.net
  2. Attempts to send a copy of itself to the email addresses gathered using one of the SMTP servers selected above. The email may be in either English or German, and has the following characteristics:

German:

From: [SPOOFED]

Subject:
One of the following:

Message:
One of the following:

Attachment:
One of the following:

    • [STRING 1].zip
    • [STRING 1]-TextInfo.zip
    • Email.zip
    • Email_text.zip
    • [STRING 2].zip
    • Akte[STRING 2].zip
    • [STRING 3].zip
    • [STRING 3]_Text.zip
    • Ebay.zip
    • Ebay-User_RegC.zip

where the variable [STRING 1] is one of the following strings:

    • Service
    • Webmaster
    • Postman
    • Info
    • Hostmaster
    • Postmaster
    • Admin

and the variable [STRING 2] is one of the following strings:

    • Downloads
    • BKA
    • Internet
    • Post
    • Anzeige
    • BKA.Bund

and the variable [STRING 3] is one of the following strings:

    • Kandidat
    • WWM
    • Auslosung
    • Casting
    • Gewinn
    • Info
    • RTL-Admin
    • RTL
    • Webmaster
    • RTL-TV

English:

From: [SPOOFED]

Subject:
One of the following:

Message:
One of the following:

Attachment:
One of the following:

    • reg_pass.zip
    • reg_pass-data.zip
    • mail.zip
    • mail_body.zip
    • mailtext.zip
    • list[RANDOM CHARACTERS].zip
    • question_list[RANDOM CHARACTERS].zip
    • downloadm.zip

The attachment will contain the following file, which is a copy of the worm:
File-packed_dataInfo.exe

Stats

Wild

  • Medium
  • More than 1000
  • More than 10
  • Low
  • Easy
  • Moderate

Damage

  • Medium

Distribution

  • High

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.