know the vector. stop the exploit. block the virus.

vectorblog  about  contact

 

 

 

 

 

 

 

 


Sober Alert

infectionvectors.com

Updated: October 2005

 

Vectors:          Mass Mail (attachment delivered)

Impact:            Low (high distribution, bandwidth/resource use, no destructive payload)

 

Sober was first released in the fall of 2003, amongst successful Internet worms Blaster and Welchia. The pure mass mailer carries English and German versions of its messages (selected based on the top level domain of the target email address). Sober enjoyed very good success, enticing thousands to open the attachment that comes with each message.

 

Sober’s later versions followed a similar pattern of execution: each displays a fake error message, hooks the Registry for automatic startup, drops a copy of the worm and begins the search for email addresses to use as targets. Outside of the bandwidth/resource drain, there is no destructive payload added to the virus (i.e.: no backdoor routine, no relay established, no data theft or damage, etc.).

 

Update: November 2004

 

The latest Sober worm (Sober.I for Symantec, Trend, & Panda) appears to have been distributed widely. In addition, like its cousins, this version uses simple subject/attachment names that will likely entice many users to execute the worm. The attachment arrives as a ZIP, BAT, COM, PIF, or SCR file (most of which are dropped by the majority of corporate mail relays). In some cases, the worm may arrive with a double extension (i.e.: automail.txt.zip, extensions that populate the first field, when used, are: DOC, EML, TXT, WORD, and XLS). Attachment names use the following list:

 

auto_mail 

Error_mail

im_shocked 

mail 

oh_nono 

re-mail_system 

thats_hard

[target domain name]

 

Sober.I infections are like previous versions, the only apparent intent is propagation; no additional payload has been seen in the code.

 

The message itself is a combination of many hard-coded and random values. For a complete listing of possible choices, see the write up at Panda’s site, or at Trend Micro’s site.

 

The error box that kicks off a Sober.I infection is titled “WinZip Self-Extractor” and has the following text:

 

WinZip_Data_Module is missing ~Error: {[hex code generated by worm]}

 

 

The German messages have content that is different from the English versions. Using the Google translation tools, and some educated guesses, the following were converted from German to English:

 

German:

Aus Datenschutzrechtlichen Gründen, darf die vollständige E'Mail incl. Daten nur angehängt werden.    Wir bitten Sie, dieses zu berücksichtigen.    GmBH & Co. KG    Da unsere Datenbanken leider durch einen Programm Fehler zerstört wurden, mussten wir leider eine änderung bezüglich Ihrer Nutzungs- Daten vornehmen.  Ihre geänderten Account Daten, befinden sich im beigefügten Dokument.

 

English:

For data security-legal reasons, the complete E'Mail inclusive may.  Data to be only attached.  We ask you to consider this.  GmbH & CO.  Kg were unfortunately destroyed there our data bases due to program an error, had unfortunately to make we a change concerning their use data.  Their changed account data, are in the attached document.

 

German:

Diese Information ist geschützt duch ein Passwort!

Da Sie uns Ihre Persönlichen Daten zugesandt haben, ist das Passwort Ihr Geburts-Datum.

English:

This information is protected by a password! 

 

Since you sent us your personal data, the password is your date of birth. 

 

The messages sent in English look like this:

 

Your password was changed successfully.

 

Protected message is attached.

 

_failed_after_I_sent_the_message.

 

This account_hast_been_disabled.

 

In addition, the worm may craft some lines indicating that the message was scanned by an AV product.

 

Update: February 2005

 

The latest release (Sober.K at most sites) adds a few entertaining wrinkles: one possible message includes a "warning" for a new Sober variant (which the warning indicates erases hard disks; the attachment is supposedly the cure for the virus), while another purports to be a letter from the FBI (which is kindly informing you that they have been investigating your Internet habits). The worm continues to be produced in both English and German flavors, carries a few enticing attachment names/subjects, and does no damage to the local system (except for resource consumption). 

 

Update: May 2005

 

The Sober author once again takes a simple idea and boosts it into high distribution numbers. The Sober.O worm (Symantec, Sober.P at F-Secure, Sober.S for Trend Micro) is again bilingual (German and English) and uses a few clever tags to entice users to open the attachment. This version does attempt to delete a few files, which, given the search strings, appears to be a move to kill update function of Symantec AV products.

 

Inside of a compressed archive is a file named "Winzipped-Text_Data" followed by a number of spaces and an EXE or PIF extension. The email shows a spam-like TO field in many cases, appearing to be to a mailing list. An example:

 

 

Update: October 2005

 

Sober.Q (known as CME-151) was released in early October 2005.

The latest of the English/German mass mailer’s iterations was released in early October of 2005, with a look very similar to previous versions. This variant poses as a notification that the user’s password was changed (without specifying what the password in question is actually for).

Sober.Q, once executed, opens a small phony error box, in an effort to trick users into thinking that nothing was launched on their machines. In the background, however, the worm collects email addresses from the local disk and then sends a copy of itself to each. No additional payload or download has been seen in this version of the mass mailer at this time (similar to earlier variants).

 

Update: November 2005

 

After a long and successful run, the Sober worm adds another feather to its cap with an incarnation promising racy pictures and more information about why the CIA is investigating you. Sober.X (aka CME-681), released in late November 2005 became the largest worm outbreak of the year. As was the case with previous variants, Sober.X sends itself in English or in German (dependant upon the TLD it is sending its message to).

 

Inside each ZIP file (no matter the name of the archive), is a copy of the worm named “File-packed_datInfo.exe). Upon execution (which requires the user to open the contents of the compressed archive), the worm displays a fake warning message, similar to other worms. This is an attempt to mask what the malware is doing in the background by making the user think the file was not successfully opened. See the complete report dedicated to this variant for more details. 

Copyright Ó 2004-2005 infectionvectors.com. All rights reserved.