|
When Sober.J@mm is run it copies itself to the %SystemRoot%, constructing its new file-name from these strings:
- sys
- host
- dir
- expoler
- win
- run
- log
- 32
- disc
- crypt
- data
- diag
- spool
- service
- smss32
The worm then creates the following registry entries to ensure it is started each time Windows loads:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
= “%SystemRoot%\"
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
= “%SystemRoot%\"
A new is generated for each entry from the same wordlist that’s used to build the filename.
The worm also creates the following files in the %SystemRoot% directory:
- datamx.dam (Harvested email addresses)
- dgsfzipp.gmx (MIME encoded archive, containing a copy of the worm)
- dgssxy.yoi (Used to disable previous Sober variants)
- nonrunso.ber (Used to disable previous Sober variants)
- Odin-Anon.Ger (Used to disable previous Sober variants)
- read.me (Harmless text file)
- sysmms32.lla (Used to disable previous Sober variants)
Mail propogation
Sober.J harvests email addresses from files with these extensions:
- pmr
- phtm
- stm
- slk
- inbox
- imb
- csv
- bak
- imh
- xhtml
- imm
- imh
- cms
- nws
- vcf
- ctl
- dhtm
- cgi
- pp
- ppt
- msg
- jsp
- oft
- vbs
- uin
- ldb
- abc
- pst
- cfg
- mdw
- mbx
- mdx
- mda
- adp
- nab
- fdb
- vap
- dsp
- ade
- sln
- dsw
- mde
- frm
- bas
- adr
- cls
- ini
- ldif
- log
- mdb
- xml
- wsh
- tbb
- abx
- abd
- adb
- pl
- rtf
- mmf
- doc
- ods
- nch
- xls
- nsf
- txt
- wab
- eml
- hlp
- mht
- nfo
- php
- asp
- shtml
- dbx
As previously mentioned the worm stores results in %SystemRoot%\datamx.dam, however, addresses containing the following strings are ignored:
- ntp-ntp@
- ntp.
- info@
- test@
- office
- @www
- @from.
- support
- smtp-
- @smtp.
- gold-certs
- ftp.
- .dial.
- .ppp.
- anyone
- subscribe
- announce
- @gmetref
- sql.
- someone
- nothing
- you@
- user@
- reciver@
- somebody
- secure
- me@
- whatever@
- whoever@
- anywhere
- yourname
- mustermann@
- .kundenserver.
- mailer-daemon
- variabel
- password
- noreply
- -dav
- law2
- .sul.t-
- .qmail@
- t-ipconnect
- t-dialin
- ipt.aol
- time
- postmas
- service
- freeav
- @ca.
- abuse
- winrar
- domain.
- host.
- viren
- bitdefender
- spybot
- detection
- ewido.
- emsisoft
- linux
- google
- @foo.
- winzip
- @example.
- bellcore.
- @arin
- mozilla
- @iana
- @avp
- icrosoft.
- @sophos
- @panda
- @kaspers
- free-av
- antivir
- virus
- verizon.
- @ikarus.
- @nai.
- @messagelab
- nlpmail01.
- clock
Next, Sober.J mails itself to all harvested address. Mails may appear in English or German, with the following characteristics:
Subject
- I've got YOUR email on my account!!
- Ey du DOOF Nase, warum beantw...
Body
First, Sorry for my very bad English!
Someone send your private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text is a name
& adress. I think it's your name and adress.
In the last 8 days i've got 7 mails in my mail-box, but the recipient are
you, not me. lol
OK, I've copied all email text in the Windows Text-Editor and i've zipped
the text file with WinZip.The sender of this mails is in the text file, too.
bye
- Warum beantwortest Du meine E-Mails nicht?
Kommen meine Mails nicht mehr bei dir an oder so???
Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!
Ich hoffe mal, das sie jetzt zu dir durch dringen wird.
In meinen anderen Mails habe ich einige Wichtige Dinge niedergeschrieben,
hatte aber keine Lust alles nochmal zu schreiben.
Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit Winzip
kleiner gemacht.
Lesen und diesmal auch bescheid geben!!!!
tschau.....
Attachment
The attachment is named text.zip
|
Spreading: 
Overall risk: