WORM SOBER.AG
It has been reported that new variants of Sober worm such as WORM_SOBER.AG are spreading in wild. This is a memory resident mass mailing worm which propagates by attaching a copy of itself to email messages and using its own SMTP engine to send mails. It harvests email addresses from infected computer systems.
The email messages sent by the worm uses
- subjects like “Your IP has been logged”, “Registration Confirmation”, “Your Password” and
- a ttachments like reg_pass.zip , reg_pass-data.zip etc
- Message body indicates that it comes from the CIA (Washington, DC) or FBI.
- The mails are generally spreading in English or German languages.
- This worm terminates the processes with certain strings like aswclnr, avwin, Brfix, fxsbr, gcas, gcip, giantanti, guardgui., hijack, inetupd., microsoftanti, nod32., nod32kui, s-t-i-n , sober, stinger
- When executed messages like “Error in packet header” are diplayed
- Creates a folder named %Windows%\WinSecurity and then drops several copies of itself using the file names: csrss.exe , services.exe , smss.exe , mssock1.dli , mssock2.dli , mssock3.dli and also drops base64-encoded copies such as socket1.ifo, socket2.ifo, socket3.ifo
This worm has a functionality to update itself to the latest sober variant on or after January 5, 2006 through some pseudorandom URL’s. These URLs are free public web hosting websites which are predetermined by the virus author. On receiving the updates the worm may execute code which could reduce the security protection of affected systems.
According to F- Secure these pseudorandom URLs are the followings:
home.arcor.de/dixqshv/
people.freenet.de/wjpropqmlpohj/
people.freenet.de/zmnjgmomgbdz/
people.freenet.de/mclvompycem/
home.arcor.de/jmqnqgijmng/
people.freenet.de/urfiqileuq/
home.arcor.de/nhirmvtg/
free.pages.at/emcndvwoemn/
people.freenet.de/fseqepagqfphv/
home.arcor.de/ocllceclbhs/
scifi.pages.at/zzzvmkituktgr/
people.freenet.de/qisezhin/
home.arcor.de/srvziadzvzr/
people.freenet.de/smtmeihf/
home.pages.at/npgwtjgxwthx/
This list will change every 14 days. After 19th of January the list will be as follows:
people.freenet.de/idoolwnzwuvnmbyava/
people.freenet.de/mhfasfsi/
people.freenet.de/nkpphimpfupn/
people.freenet.de/ozumtinn/
people.freenet.de/bnfyfnueoomubnw/
people.freenet.de/kbyquqbwsku/
people.freenet.de/mlmmmlmhcoqq/
scifi.pages.at/ikzfpaoozw/
home.pages.at/ecljoweqb/
free.pages.at/wgqybixqyjfd/
home.arcor.de/ykfjxpgtb/
home.arcor.de/oodhshe/
home.arcor.de/mtgvxqx/
home.arcor.de/tucrghifwib/
home.arcor.de/ftpkwywvkdbuupw/
At present these URLs are non-existent. Since the worm is spreading fast users and systems administrators are advised to apply following countermeasures:
- Install and maintain a updated anti-virus software
- Keep up-to-date on patches and fixes on the operating system
- Do not visit un trusted website
- Refer to CERT-In Anti Virus Policy & Best Practices
References :
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91 11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
