New Sober variants..



Ok – there are some new variants on the Sober worm circulating. I received one on an address that’s unfiltered (no virus/spam filtering) and must say, I can see people being duped into looking at the attachment. Sans has a post on it.. Sarc is calling it W32sober.x@mm and rates it at a threat level of three. I’ve seen many outlets tag it as sober.y


Essentially it comes posing as an email from the FBI or CIA and you are to open it to review charges against you. Here’s a sample of the one I got…

From: Mail@fbi.gov
Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

The attachment was called question_list192.zip and SANS warns that it MAY not be detected by your antivirus (remember antivirus typically only knows about entries that match it’s virus database and can lag by hours or days behind changing viruses.)

Clamantivirus seems to detect it just fine on my filtered mailserver (detects as Worm.Sober.U)

For your information, here’s the clamav definition version info from the mailserver…

ClamAV update process started at Tue Nov 22 11:34:24 2005
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd is up to date (version: 1183, sigs: 1637, f-level: 6, builder: diego)

So, daily.cvd is version 1183 and main.cvd is version 34, if you’re filtering with clamAV on your mailserver you should be safe, however beware of other possible entry vectors (users who check ISP mail accounts, or other addresses that are unfiltered for whatever reason.)

–update 1:14PM EST–

Here are some details from the symantec writeup…
When the attachment is run you get this…

Title: WinZip Self-Extractor
Body: Error in packed Header

It copies itself as the following files…

# %Windir%\csrss.exe

# %Windir%\WinSecurity\services.exe

# %Windir%\WinSecurity\smss.exe

It prepares these copies of itself for re-distribution…

# %Windir%\WinSecurity\socket1.ifo

# %Windir%\WinSecurity\socket2.ifo

# %Windir%\WinSecurity\socket3.ifo

It creates the following "non-malicious" files (this according to symantec - if they're non-malicious, what are they? logging? what? - maybe I'll get a chance to test it out locally and see...)


# %Windir%\WinSecurity\mssock1.dli

# %Windir%\WinSecurity\mssock2.dli

# %Windir%\WinSecurity\mssock3.dli

# %Windir%\WinSecurity\winmem1.ory

# %Windir%\WinSecurity\winmem2.ory

# %Windir%\WinSecurity\winmem3.ory

# %Windir%\WinSecurity\sysonce.tst

# %Windir%\WinSecurity\starter.run

# %Windir%\WinSecurity\nexttroj.tro

# %System%\bbvmwxxf.hml

# %System%\langeinf.lin

# %System%\nonrunso.ber

# %System%\rubezahl.rub

# %System%\filesms.fms

# %System%\runstop.rst

It adds " Windows" = "%Windir%\WinSecurity\services.exe"
to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry, as well as "_Windows" = "%Windir%\WinSecurity\services.exe" at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to ensure that it runs at reboot.

Next it checks for the current date from the following servers...


# Rolex.PeachNet.edu

# clock.psu.edu

# cuckoo.nevada.edu

# gandalf.theunixman.com

# nist1.datum.com

# ntp-1.ece.cmu.edu

# ntp-2.ece.cmu.edu

# ntp-sop.inria.fr

# ntp.lth.se

# ntp.massayonet.com.br

# ntp.metas.ch

# ntp.pads.ufrj.br

# ntp0.cornell.edu

# ntp1.arnes.si

# ntp1.theremailer.net

# ntp2.ien.it

# ntp2b.mcc.ac.uk

# ntp2c.mcc.ac.uk

# ntp3.fau.de

# ntps1-1.uni-erlangen.de

# ptbtime2.ptb.de

# rolex.usg.edu

# st.ntp.carnet.hr

# sundial.columbia.edu

# swisstime.ethz.ch

# tick.greyware.com

# time-a.timefreq.bldrdoc.gov

# time-ext.missouri.edu

# time.chu.nrc.ca

# time.ien.it

# time.kfki.hu

# time.mit.edu

# time.nist.gov

# time.nrc.ca

# time.windows.com

# time.xmission.com

# timelord.uregina.ca

# tock.keso.fi

# utcnist.colorado.edu

# vega.cbk.poznan.pl

# time.windows.com

Gathers email address from files with the following extensions...

# .abc
# .abd
# .abx
# .adb
# .ade
# .adp
# .adr
# .asp
# .bak
# .bas
# .cfg
# .cgi
# .cls
# .cms
# .csv
# .ctl
# .dbx
# .dhtm
# .doc
# .dsp
# .dsw
# .eml
# .fdb
# .frm
# .hlp
# .imb
# .imh
# .imh
# .imm
# .inbox
# .ini
# .jsp
# .ldb
# .ldif
# .log
# .mbx
# .mda
# .mdb
# .mde
# .mdw
# .mdx
# .mht
# .mmf
# .msg
# .nab
# .nch
# .nfo
# .nsf
# .nws
# .ods
# .oft
# .php
# .phtm
# .pl
# .pmr
# .pp
# .ppt
# .pst
# .rtf
# .shtml
# .slk
# .sln
# .stm
# .tbb
# .txt
# .uin
# .vap
# .vbs
# .vcf
# .wab
# .wsh
# .xhtml
# .xls
# .xml

It avoids sending to email addresses that match any of the following...

# -dav
# .dial.
# .kundenserver.
# .ppp.
# .qmail@
# .sul.t-
# @arin
# @avp
# @ca.
# @example.
# @foo.
# @from.
# @gmetref
# @iana
# @ikarus.
# @kaspers
# @messagelab
# @nai.
# @panda
# @smtp.
# @sophos
# @www
# abuse
# announce
# antivir
# anyone
# anywhere
# bellcore.
# bitdefender
# clock
# detection
# domain.
# emsisoft
# ewido.
# free-av
# freeav
# ftp.
# gold-certs
# google
# host.
# icrosoft.
# ipt.aol
# law2
# linux
# mailer-daemon
# mozilla
# mustermann@
# nlpmail01.
# noreply
# nothing
# ntp-
# ntp.
# ntp@
# office
# password
# postmas
# reciver@
# secure
# service
# smtp-
# somebody
# someone
# spybot
# sql.
# subscribe
# support
# t-dialin
# t-ipconnect
# test@
# time
# user@
# variabel
# verizon.
# viren
# virus
# whatever@
# whoever@
# winrar
# winzip
# you@
# yourname

What follows are symantecs samples of the virus text...

9. German:

From: [SPOOFED]

Subject:
One of the following:

* Ihr Passwort
* Account Information
* SMTP Mail gescheitert
* Mailzustellung wurde unterbrochen
* Ermittlungsverfahren wurde eingeleitet
* Sie besitzen Raubkopien
* RTL: Wer wird Millionaer
* Sehr geehrter Ebay-Kunde

Message:
One of the following:

* Ihre Nutzungsdaten wurden erfolgreich geaendert. Details entnehmen Sie bitte dem Anhang.
*** [http://]www.[DOMAIN NAME OF SENDER]
*** E-Mail: PassAdmin
* Bei uns wurde ein neues Benutzerkonto mit dem Namen
beantragt.
Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.
Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.
Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.
Vielen Dank,
Ihr Ebay-Team
* Sehr geehrte Dame, sehr geehrter Herr,
das Herunterladen von Filmen, Software und MP3s ist illegal und somit strafbar.
Wir moechten Ihnen hiermit vorab mitteilen, dass Ihr Rechner unter der IP
erfasst wurde. Der Inhalt Ihres Rechner wurde als Beweismittel sichergestellt und es wird ein Ermittlungsverfahren gegen Sie eingleitet.
Die Strafanzeige und die Moeglichkeit zur Stellungnahme wird Ihnen in den naechsten Tagen schriftlich zugestellt.
Aktenzeichen NR.:#
(siehe Anhang)
Hochachtungsvoll
i.A. Juergen Stock
--- Bundeskriminalamt BKA
--- Referat LS 2
--- 65173 Wiesbaden
--- Tel.: +49 (0)611 - 55 - 12331 oder
--- Tel.: +49 (0)611 - 55 - 0
* Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
Sie sitzen demnaechst bei Guenther Jauch im Studio!
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
+++ RTL interactive GmbH
+++ Geschaeftsfuehrung: Dr. Constantin Lange
+++ Am Coloneum 1
+++ 50829 Koeln
+++ Fon: +49(0) 221-780 0 oder
+++ Fon: +49 (0) 180 5 44 66 99

Attachment:
One of the following:

* [STRING 1].zip
* [STRING 1]-TextInfo.zip
* Email.zip
* Email_text.zip
* [STRING 2].zip
* Akte[STRING 2].zip
* [STRING 3].zip
* [STRING 3]_Text.zip
* Ebay.zip
* Ebay-User_RegC.zip

where the variable [STRING 1] is one of the following strings:

* Service
* Webmaster
* Postman
* Info
* Hostmaster
* Postmaster
* Admin

and the variable [STRING 2] is one of the following strings:

* Downloads
* BKA
* Internet
* Post
* Anzeige
* BKA.Bund

and the variable [STRING 3] is one of the following strings:

* Kandidat
* WWM
* Auslosung
* Casting
* Gewinn
* Info
* RTL-Admin
* RTL
* Webmaster
* RTL-TV

English:

From: [SPOOFED]

Subject:
One of the following:

* Your Password
* Registration Confirmation
* smtp mail failed
* Mail delivery failed
* hi, ive a new mail address
* You visit illegal websites
* Your IP was logged
* Paris Hilton & Nicole Richie

Message:
One of the following:

* Account and Password Information are attached!
Protected message is attached!
=====dHSd9SZd;99zZ((EEEA
=====dw1W)6ZdzSL91WR
***** Go to: [http://]www.[DOMAIN NAME OF SENDER]
***** Email: postman
* This is an automatically generated Delivery Status Notification.
SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached!
* hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa
* Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.lease answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
Department Office Admin Mail Post
===dkX XbW6dxPbXWPdSDd@R2XL9)CW9)SRd?kx@?
===dt4OduXRRL062WR)Wd.2XRPX,dKa,dnSS1d4vvy
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time
* The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!
Please use our Download manager.

Attachment:
One of the following:

* reg_pass.zip
* reg_pass-data.zip
* mail.zip
* mail_body.zip
* mailtext.zip
* list[RANDOM CHARACTERS].zip
* question_list[RANDOM CHARACTERS].zip
* downloadm.zip

The attachment will contain the following file, which is a copy of the worm:

File-packed_dataInfo.exe

--update 11/23/05 --

Some are calling it the biggest email virus outbreak of the year. I've seen tons of notices of it from the mailserver antivirus. I've got something suspicious this morning that isn't detected yet, but appears to be viral in nature. The CIA and FBI have posted warnings on their websites about the emails. It, as usual, disables Antivirus and firewall software, enables a back door for the remote install of whatever the writer(s) choose.

More on the email I picked up when I get a chance to look at it. It may be yet another variant.

The SecurityFix is covering today as well.

   Send article as PDF   

Similar Posts