|
Friday, 01 April 2005 |
W32.Sober.N@mm is a mass-mailing worm that uses its own SMTP engine to send itself to addresses gathered from the compromised computer. The email will be in either English or German.
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Sober.N@mm is executed, it performs the following actions:
Copies itself as the following:
%Windir%addinsexplorercsrss.exe
%System%
%Temp%\_[same file name]
Creates the following files:
%Windir%addinsexplorerinfectok.iok
%Windir%addinsexplorerjjfggggr.oou
%System%
onrunso.ber
%System%adcmmmmq.hjg
%System%xcvfpokd.tqa
%System%stopruns.zhz
NOTE: jjfggggr.oou is a text file containing email addresses harvested from the infected computer.
Adds the value:
" SystemDriver" = "%Windir%addinsexplorercsrss.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that W32.Sober.N@mm is executed every time Windows starts.
Adds the value:
"_SystemDriver" = "%Windir%addinsexplorercsrss.exe"
to the registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
so that W32.Sober.N@mm is executed every time Windows starts.
Registers itself as a service named wscsvc.
Checks the network connection by contacting the following domains:
microsoft.com
bigfoot.com
yahoo.com
t-online.de
google.com
hotmail.com
Attempts to download a file from the following domains:
home.arcor.de
people.freenet.de
free.pages.at
scifi.pages.at
home.pages.at
Ends processes containing any of the following strings:
gcip
giantanti
stinger
hijack
sober
rclean
May display the following fake error message:
Winsock 2.0 Error
STOP:0x10020AF {Unknown_blocking}
Possible Reason: Your "Firewall" is blocking one or more System files
Check the "Winsock Error Log File" on: C:WinsockError_log.txt
Creates a non-malicious file named C:WinsockError_log.txt.
Attempt to dial any available dial-up connection if the infected computer doesnt have an active Internet connection.
Collects email addresses from files with the following extensions:
.exe
.msi
.scr
.com
.bat
.pif
.jpg
.mp3
.mp4
.jpeg
.png
.avi
.mpg
.mpeg
.cmd
Stores the collected email addresses in the file %Windir%addinsexplorerjjfggggr.oou.
Sends a copy of itself to the email addresses gathered. The email may be in either English or German. The From address is spoofed.
The content of the email will be sent in German, if the found email address contains the following strings:
@gmx
@web
@arcor
@freenet
To delete the value from the registry
Click Start > Run.
Type regedit
Then click OK.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
In the right pane, delete the value:
" SystemDriver" = "%Windir%addinsexplorercsrss.exe"
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
In the right pane, delete the value:
"_SystemDriver" = "%Windir%addinsexplorercsrss.exe"
Exit the Registry Editor.
Restart the computer in Normal Mode.
|
