BitDefender: Win32.Sober.N@mm

Discussion in 'malware problems & news' started by Randy_Bell, Apr 19, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Name: Win32.Sober.N@mm
    Aliases: N/A
    Type: Executable Worm Mass Mailer
    Size: 73541 bytes (packed)
    Discovered: 19.04.2005
    Detected: 19.04.2005
    Spreading: High
    Damage: Medium
    In The Wild: Unknown

    Symptoms:
    Presence of files services.exe,zipped.wrm,maddys.xyz in %WINDOWS%\Config\system.

    Presence of registry key:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or RunOnce with the value
    "_SystemCheck" = %WINDOWS%\config\system\services.exe

    Technical description:
    The worm comes by mail in German or English .
    The mail address of the sender is spoofed.

    See this link for complete technical details:
    http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=331
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Last edited: Apr 20, 2005
  3. Happy Bytes

    Happy Bytes Guest

    As usually this "virus analysises" are wrong and/or incomplete.

    Just a few remarks on it:

    Sober.N does also patch the TCPIP.SYS driver to extend maximum possible TCP/IP connections.

    Only McAfee did notice that it connects to timeservers.
    My guess is that this was included to fool automated analysing systems which are trying to change the local system time.

    Next thing, it uses exclusive lock on all files except the trashfiles. Means the worm file is also "protected" from scanning once it's active running.

    The worm has a highly encrypted win32 executable ("trojan") attached at the end of the file. I wonder why nobody did notice this :rolleyes:
     
Thread Status:
Not open for further replies.