Preventing W32.Sober.Q

Discussion in 'malware problems & news' started by Rmus, Oct 7, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    The TrendMicro link that Randy posted has a nice diagram showing how this worm works.

    Note that it arrives by email. TrendMicro says under countermeasures, "Do Not Open Untrusted Email." Why do people continue to violate this rule? The current buzz phrase to explain this away is "social engineering techniques."

    Once these worms are installed, they propagate rapidly via email, often using their own SMTP engine, as in the case of W32.Sober. In another thread, Devinco says that SMTP can use any arbitrary port it wants, and not just the standard port 25, and that a properly configured firewall will alert and/or block these attempts.

    Note that this firewall countermeasure is not listed in the TrendMicro diagram, and I've not seen it mentioned on other sites. Why not?

    All that is stated is that they are mass mailers, as if once the worm is installed, one is at the mercy of the worm.

    Well, maybe Devinco is wrong. Only one way to tell - do your own test.

    I happened to receive the W32.Sober.Q in an email October 5, so I read about it and decided to run it and observe what happens.

    The image below shows the files that are installed, as described on the AV sites. I didn't list the Registry Entries.

    Services.exe is the workhorse, initially harvesting a list of email addresses in the socket.dli file. Once this is completed, the worm attempts to connect out to time servers, and these were blocked at the firewall; so the worm essentially did not propagate.

    This worm should never have achieved any status greater than the lowest threat level.


    ~~Be ALERT!!! ~~

    Attached Files:

    Last edited: Oct 7, 2005
  2. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Good to see your software firewall did its job and blocked the unauthorized outbound traffic, Rich. ;)
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.