New Sober variants..



Ok – there are some new variants on the Sober worm circulating. I received one on an address that’s unfiltered (no virus/spam filtering) and must say, I can see people being duped into looking at the attachment. Sans has a post on it.. Sarc is calling it W32sober.x@mm and rates it at a threat level of three. I’ve seen many outlets tag it as sober.y


Essentially it comes posing as an email from the FBI or CIA and you are to open it to review charges against you. Here’s a sample of the one I got…

From: Mail@fbi.gov
Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

The attachment was called question_list192.zip and SANS warns that it MAY not be detected by your antivirus (remember antivirus typically only knows about entries that match it’s virus database and can lag by hours or days behind changing viruses.)

Clamantivirus seems to detect it just fine on my filtered mailserver (detects as Worm.Sober.U)

For your information, here’s the clamav definition version info from the mailserver…

ClamAV update process started at Tue Nov 22 11:34:24 2005
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd is up to date (version: 1183, sigs: 1637, f-level: 6, builder: diego)

So, daily.cvd is version 1183 and main.cvd is version 34, if you’re filtering with clamAV on your mailserver you should be safe, however beware of other possible entry vectors (users who check ISP mail accounts, or other addresses that are unfiltered for whatever reason.)

–update 1:14PM EST–

Here are some details from the symantec writeup…
When the attachment is run you get this…

Title: WinZip Self-Extractor
Body: Error in packed Header

It copies itself as the following files…

# %Windir%csrss.exe

# %Windir%WinSecurityservices.exe

# %Windir%WinSecuritysmss.exe

It prepares these copies of itself for re-distribution…

# %Windir%WinSecuritysocket1.ifo

# %Windir%WinSecuritysocket2.ifo

# %Windir%WinSecuritysocket3.ifo

It creates the following "non-malicious" files (this according to symantec - if they're non-malicious, what are they? logging? what? - maybe I'll get a chance to test it out locally and see...)


# %Windir%WinSecuritymssock1.dli

# %Windir%WinSecuritymssock2.dli

# %Windir%WinSecuritymssock3.dli

# %Windir%WinSecuritywinmem1.ory

# %Windir%WinSecuritywinmem2.ory

# %Windir%WinSecuritywinmem3.ory

# %Windir%WinSecuritysysonce.tst

# %Windir%WinSecuritystarter.run

# %Windir%WinSecuritynexttroj.tro

# %System%bbvmwxxf.hml

# %System%langeinf.lin

# %System%nonrunso.ber

# %System%rubezahl.rub

# %System%filesms.fms

# %System%runstop.rst

It adds " Windows" = "%Windir%WinSecurityservices.exe"
to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun in the registry, as well as "_Windows" = "%Windir%WinSecurityservices.exe" at HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun to ensure that it runs at reboot.

Next it checks for the current date from the following servers...


# Rolex.PeachNet.edu

# clock.psu.edu

# cuckoo.nevada.edu

# gandalf.theunixman.com

# nist1.datum.com

# ntp-1.ece.cmu.edu

# ntp-2.ece.cmu.edu

# ntp-sop.inria.fr

# ntp.lth.se

# ntp.massayonet.com.br

# ntp.metas.ch

# ntp.pads.ufrj.br

# ntp0.cornell.edu

# ntp1.arnes.si

# ntp1.theremailer.net

# ntp2.ien.it

# ntp2b.mcc.ac.uk

# ntp2c.mcc.ac.uk

# ntp3.fau.de

# ntps1-1.uni-erlangen.de

# ptbtime2.ptb.de

# rolex.usg.edu

# st.ntp.carnet.hr

# sundial.columbia.edu

# swisstime.ethz.ch

# tick.greyware.com

# time-a.timefreq.bldrdoc.gov

# time-ext.missouri.edu

# time.chu.nrc.ca

# time.ien.it

# time.kfki.hu

# time.mit.edu

# time.nist.gov

# time.nrc.ca

# time.windows.com

# time.xmission.com

# timelord.uregina.ca

# tock.keso.fi

# utcnist.colorado.edu

# vega.cbk.poznan.pl

# time.windows.com

Gathers email address from files with the following extensions...

# .abc
# .abd
# .abx
# .adb
# .ade
# .adp
# .adr
# .asp
# .bak
# .bas
# .cfg
# .cgi
# .cls
# .cms
# .csv
# .ctl
# .dbx
# .dhtm
# .doc
# .dsp
# .dsw
# .eml
# .fdb
# .frm
# .hlp
# .imb
# .imh
# .imh
# .imm
# .inbox
# .ini
# .jsp
# .ldb
# .ldif
# .log
# .mbx
# .mda
# .mdb
# .mde
# .mdw
# .mdx
# .mht
# .mmf
# .msg
# .nab
# .nch
# .nfo
# .nsf
# .nws
# .ods
# .oft
# .php
# .phtm
# .pl
# .pmr
# .pp
# .ppt
# .pst
# .rtf
# .shtml
# .slk
# .sln
# .stm
# .tbb
# .txt
# .uin
# .vap
# .vbs
# .vcf
# .wab
# .wsh
# .xhtml
# .xls
# .xml

It avoids sending to email addresses that match any of the following...

# -dav
# .dial.
# .kundenserver.
# .ppp.
# .qmail@
# .sul.t-
# @arin
# @avp
# @ca.
# @example.
# @foo.
# @from.
# @gmetref
# @iana
# @ikarus.
# @kaspers
# @messagelab
# @nai.
# @panda
# @smtp.
# @sophos
# @www
# abuse
# announce
# antivir
# anyone
# anywhere
# bellcore.
# bitdefender
# clock
# detection
# domain.
# emsisoft
# ewido.
# free-av
# freeav
# ftp.
# gold-certs
# google
# host.
# icrosoft.
# ipt.aol
# law2
# linux
# mailer-daemon
# mozilla
# mustermann@
# nlpmail01.
# noreply
# nothing
# ntp-
# ntp.
# ntp@
# office
# password
# postmas
# reciver@
# secure
# service
# smtp-
# somebody
# someone
# spybot
# sql.
# subscribe
# support
# t-dialin
# t-ipconnect
# test@
# time
# user@
# variabel
# verizon.
# viren
# virus
# whatever@
# whoever@
# winrar
# winzip
# you@
# yourname

What follows are symantecs samples of the virus text...

9. German:

From: [SPOOFED]

Subject:
One of the following:

* Ihr Passwort
* Account Information
* SMTP Mail gescheitert
* Mailzustellung wurde unterbrochen
* Ermittlungsverfahren wurde eingeleitet
* Sie besitzen Raubkopien
* RTL: Wer wird Millionaer
* Sehr geehrter Ebay-Kunde

Message:
One of the following:

* Ihre Nutzungsdaten wurden erfolgreich geaendert. Details entnehmen Sie bitte dem Anhang.
*** [http://]www.[DOMAIN NAME OF SENDER]
*** E-Mail: PassAdmin
* Bei uns wurde ein neues Benutzerkonto mit dem Namen
beantragt.
Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.
Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.
Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.
Vielen Dank,
Ihr Ebay-Team
* Sehr geehrte Dame, sehr geehrter Herr,
das Herunterladen von Filmen, Software und MP3s ist illegal und somit strafbar.
Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unter der IP
erfasst wurde. Der Inhalt Ihres Rechner wurde als Beweismittel sichergestellt und es wird ein Ermittlungsverfahren gegen Sie eingleitet.
Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen in den naechsten Tagen schriftlich zugestellt.
Aktenzeichen NR.:#
(siehe Anhang)
Hochachtungsvoll
i.A. Juergen Stock
--- Bundeskriminalamt BKA
--- Referat LS 2
--- 65173 Wiesbaden
--- Tel.: +49 (0)611 - 55 - 12331 oder
--- Tel.: +49 (0)611 - 55 - 0
* Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
Sie sitzen demnaechst bei Guenther Jauch im Studio!
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
+++ RTL interactive GmbH
+++ Geschaeftsfuehrung: Dr. Constantin Lange
+++ Am Coloneum 1
+++ 50829 Koeln
+++ Fon: +49(0) 221-780 0 oder
+++ Fon: +49 (0) 180 5 44 66 99

Attachment:
One of the following:

* [STRING 1].zip
* [STRING 1]-TextInfo.zip
* Email.zip
* Email_text.zip
* [STRING 2].zip
* Akte[STRING 2].zip
* [STRING 3].zip
* [STRING 3]_Text.zip
* Ebay.zip
* Ebay-User_RegC.zip

where the variable [STRING 1] is one of the following strings:

* Service
* Webmaster
* Postman
* Info
* Hostmaster
* Postmaster
* Admin

and the variable [STRING 2] is one of the following strings:

* Downloads
* BKA
* Internet
* Post
* Anzeige
* BKA.Bund

and the variable [STRING 3] is one of the following strings:

* Kandidat
* WWM
* Auslosung
* Casting
* Gewinn
* Info
* RTL-Admin
* RTL
* Webmaster
* RTL-TV

English:

From: [SPOOFED]

Subject:
One of the following:

* Your Password
* Registration Confirmation
* smtp mail failed
* Mail delivery failed
* hi, ive a new mail address
* You visit illegal websites
* Your IP was logged
* Paris Hilton & Nicole Richie

Message:
One of the following:

* Account and Password Information are attached!
Protected message is attached!
=====dHSd9SZd;99zZ((EEEA
=====dw1W)6ZdzSL91WR
***** Go to: [http://]www.[DOMAIN NAME OF SENDER]
***** Email: postman
* This is an automatically generated Delivery Status Notification.
SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached!
* hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa
* Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.lease answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
Department Office Admin Mail Post
===dkX XbW6dxPbXWPdSDd@R2XL9)CW9)SRd?kx@?
===dt4OduXRRL062WR)Wd.2XRPX,dKa,dnSS1d4vvy
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time
* The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!
Please use our Download manager.

Attachment:
One of the following:

* reg_pass.zip
* reg_pass-data.zip
* mail.zip
* mail_body.zip
* mailtext.zip
* list[RANDOM CHARACTERS].zip
* question_list[RANDOM CHARACTERS].zip
* downloadm.zip

The attachment will contain the following file, which is a copy of the worm:

File-packed_dataInfo.exe

--update 11/23/05 --

Some are calling it the biggest email virus outbreak of the year. I've seen tons of notices of it from the mailserver antivirus. I've got something suspicious this morning that isn't detected yet, but appears to be viral in nature. The CIA and FBI have posted warnings on their websites about the emails. It, as usual, disables Antivirus and firewall software, enables a back door for the remote install of whatever the writer(s) choose.

More on the email I picked up when I get a chance to look at it. It may be yet another variant.

The SecurityFix is covering today as well.

Related Posts

Blog Traffic Exchange Related Posts
  • Major botnet building and the massive jump in spam For a few months now (since the demise of bluefrog actually) I've noticed that the level of junk mail has gone up on my own mail server. Yes, I use spamassassin to filter and tag, but the volume of stuff that's tagged has gone up (as well as the volume......
  • How to Remove Windows Enterprise Suite | Removal Guide Windows Enterprise Suite is a rogue antivirus application that is made to look like and mimic the actions of legitimate security applications, but it is likely the cause of more problems on your system than it solves. It seems to be made by the same group as volcano security suite......
  • How to Remove AntiAdd | AntiAdd Removal Guide AntiAdd is a rogue antivirus application. It is installed via trojans that claim to be video codec or flash player updates and then once installed on the system it will claim to be scanning your computer and discovering all sorts of viral infected files. In addition to this it may......
Blog Traffic Exchange Related Websites
  • TCJ Research 10/23-10/24 Poll: John Kasich Continues Leading Ted Strickland In Ohio Governor Race To view other TCJ Research Polls released today, click HERE. To read our full analysis of how and why Republicans will take the Senate, click HERE. Each poll uses a random sampling of 1000 Likely Voters (unless otherwise stated) and has a +/- 4% margin of error (M.o.E).  Poll that don’t add......
  • The Best Billion Dollars You Could Ever Spend Beyond yachts, cars and parties, dare to dream bigger One thousand million dollars. It’s quite difficult to comprehend that amount in terms of usefulness. Say you gain such a fortune, even once you’ve got a gold-plated roof over your head and the finest cuisine known to man lining your stomach,......
  • Outlining Your Blog: 8 Things to do Before Choosing a URL Before Reading, check out and bookmark our Blogging 101 homepage so you can follow our series on creating a successful blog from the ground up.  If you missed our first, read our intro to blogging series overview first. When the time finally comes when you've decided the blogging world is......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

One Response to “New Sober variants..”

  1. Avery J. Parker - Web site hosting and computer service Says:


    [...] Anyway, here are a few of the articles from the last few days. You can look here to see earlier coverage on this site of the bug. [...]


Switch to our mobile site