Symantec Security Response: W32.Sober.Q@mm

W32.Sober.Q@mm
Category 2
Discovered on: October 05, 2005
Last Updated on: October 06, 2005 03:36:00 PM

W32.Sober.Q@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German. It has been reported that it may arrive as one of the following files and that inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe:

# KlassenFoto.zip
# pword_change.zip

Also Known As: CME-151, Sober.Y [Panda Software], W32/Sober.r@MM [McAfee], WORM_SOBER.AC [Trend Micro]

Type: Worm
Infection Length: Varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

WriteUp --- Tech Details

 

Some other vendor writeups:

McAfee: W32/Sober.r@MM
Panda: Sober.Y
TrendMicro: WORM_SOBER.AC
Computer Associates: Win32.Sober.P
Sophos: W32/Sober-P
F-Secure: Sober.S
F-Prot: W32/Sober.R@mm
VSAntivirus: Sober.R
Grisoft/AVG: I-Worm/Sober.S, .T

 

Trend Micro Medium Risk Virus Alert - WORM_SOBER.AC

Dear Trend Micro customer,

As of October 6, 2005 5:52 AM (Pacific Daylight Time; GMT-7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.AC. TrendLabs has received several infection reports indicating that this malware is spreading in USA, Japan, Australia, and Germany.

This worm propagates via email messages. It uses its own SMTP engine to send a copy of itself as an attachment to target email addresses. It gathers the said addresses from files with certain extensions on an affected system. Most of the files with the said extensions are related to the Web pages visited by an affected user. This worm gathers these types of files under the assumption that visited Web pages may contain text strings that refer to email addresses.

This worm may also send email messages written in German.

Upon execution, it displays an error message. It drops a number of files, which aid its mass-mailing routine. The said routine consumes bandwidth that can slow down an affected network's processes.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 186
Official Pattern Release 2.879.00
Damage Cleanup Template 661.04

For more information on WORM_SOBER.AC, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.AC
Contact av_query@support.trendmicro.com for inquiries and to report infections in your region.

 

Panda Virus Alerts: Sober.Y incidents increase

- The number of incidents caused by Sober.Y increases,
Panda Software offers free tools to eliminate it -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, October 6, 2005 - PandaLabs has detected a significant increase in the number of incidents caused by the new Sober.Y. This new mass-mailing worm has a large capacity to spread and is sent out in messages written in English or German. For this reason, Panda Software has declared an Orange virus alert status. To prevent Sober.Y from continuing to spread, above all across computers that do not have adequate anti-malware protection installed, Panda Software has made its free PQRemove utility available to all users to effectively detect and eliminate this worm from any computer that could be infected. This utility can be downloaded from http://www.pandasoftware.com/download/utilities/.

According to Luis Corrons, director of PandaLabs "the Sober worms have always boasted about their capacity to spread and this new variant is no exception. This is probably because it uses social engineering techniques, to persuade users to run the infected files, and changes the language of the email message sent, depending on the location of the recipient."

Sober.Y uses two types of mail to propagate: Firstly, an email in English with the subject "Your new password", which tries to make users think it is notification of a change of password, asking them to check the data in an attached file, pword_change.zip. Secondly, an email written in German claiming to contain a photograph of old school friends in the file KlassenFoto.zip. Both compressed files contain the executable PW_Klass.Pic.packed-bitmap.exe, which is a copy of the worm itself. The message type received varies depending on the extension that appears in the email address. It will only use the German version of the email if the addresses end in .de (Germany), .ch (Switzerland), .at (Austria), or .li (Lichtenstein).

Computers that have the TruPrevent(tm) proactive technologies from Panda Software installed have been protected since this worm first emerged, as these can effectively detect and block Sober.Y. Panda Software clients that don't yet have these technologies already have the updates available to install them along with their antivirus and ensure they have preventive protection against unknown viruses and intruders, like Sober.Y. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the antivirus is being updated, decreasing the risk of infection: More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.pandasoftware.com/home/default.asp. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.

For more information about Sober.Y and other IT threats go to Panda Software's Encyclopedia at: www.pandasoftware.com/virus_info/enciclopedia

 

TrendMicro NewsLetter: WORM_SOBER.AC

As of October 6, 2005, TrendLabs has declared a Medium risk alert for WORM_SOBER.AC that is currently spreading in-the-wild in the U.S., Japan, and Germany. SOBER.AC is written in both German and English languages. It checks the user's system for the version of the Microsoft OS that’s running if it detects GMX as the domain, it installs one of the German versions; otherwise, it installs one of the English versions.

The worm propagates via email messages that are spammed to recipients. It has no automated capabilities and must therefore be inadvertently executed by the user to install. To entice the user to do this, the author utilizes classic social engineering techniques, disguising the attachment as either a zipped Word document or a zipped image file. The subject lines vary, but include statements such as of “I've got your mail on my account!”; “Your New Password”; and Registration Confirmation”.

SOBER.AC can download and run executable files from certain Web sites that it points to. However, this worm does not seem to have any backdoor capabilities.

If you would like to scan your computer for WORM_SOBER.AC, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/.