Sober.X manual removal instructions and info
Virus description
Sober.X@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German. These emails suggest to recipients that their Internet use has been monitored by the FBI or CIA and that they have accessed illegal Web sites. The email directs users to open the ZIP attachment containing the executable, which once opened delivers the Sober virus payload. It then spreads by searching the infected computer for other email addresses to send copies of itself to, but ignoring any domains for certain security organizations
Recognition
When executed, Sober.X@mm performs the following actions:
1. Displays a message with the following text:
Title: WinZip Self-Extractor
Body: Error: CRC not complete
2. Copies itself as the following files:
* %Windir%\csrss.exe
* %Windir%\WinSecurity\services.exe
* %Windir%\WinSecurity\smss.exe
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
3. Creates the following file, which is a MIME-encoded .zip file that contains copy of the worm: %Windir%\WinSecurity\socket1.ifo
4. Creates the following non-malicious files:
* %Windir%\WinSecurity\mssock1.dli
* %Windir%\WinSecurity\mssock2.dli
* %Windir%\WinSecurity\mssock3.dli
* %Windir%\WinSecurity\winmem1.ory
* %Windir%\WinSecurity\winmem2.ory
* %Windir%\WinSecurity\winmem3.ory
* %Windir%\WinSecurity\sysonce.tst
* %Windir%\WinSecurity\starter.run
* %Windir%\WinSecurity\nexttroj.tro
* %System%\bbvmwxxf.hml
* %System%\langeinf.lin
* %System%\nonrunso.ber
* %System%\rubezahl.rub
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), or
C:\Windows\System32 (Windows XP).
5. Adds the value: "_Windows" = "%Windir%\WinSecurity\services.exe"
to the following registry subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
6. Checks the network connection of the compromised computer, and the current date, by connecting to one of the following NTP servers:
* Rolex.PeachNet.edu
* clock.psu.edu
* cuckoo.nevada.edu
* gandalf.theunixman.com
* nist1.datum.com
* ntp-1.ece.cmu.edu
* ntp-2.ece.cmu.edu
* ntp-sop.inria.fr
* ntp.lth.se
* ntp.massayonet.com.br
* ntp.metas.ch
* ntp.pads.ufrj.br
* ntp0.cornell.edu
* ntp1.arnes.si
* ntp1.theremailer.net
* ntp2.ien.it
* ntp2b.mcc.ac.uk
* ntp2c.mcc.ac.uk
* ntp3.fau.de
* ntps1-1.uni-erlangen.de
* ptbtime2.ptb.de
* rolex.usg.edu
* st.ntp.carnet.hr
* sundial.columbia.edu
* swisstime.ethz.ch
* tick.greyware.com
* time-a.timefreq.bldrdoc.gov
* time-ext.missouri.edu
* time.chu.nrc.ca
* time.ien.it
* time.kfki.hu
* time.mit.edu
* time.nist.gov
* time.nrc.ca
* time.windows.com
* time.xmission.com
* timelord.uregina.ca
* tock.keso.fi
* utcnist.colorado.edu
* vega.cbk.poznan.pl
7. Gathers email addresses from files with the following extensions:
* .abc
* .abd
* .abx
* .adb
* .ade
* .adp
* .adr
* .asp
* .bak
* .bas
* .cfg
* .cgi
* .cls
* .cms
* .csv
* .ctl
* .dbx
* .dhtm
* .doc
* .dsp
* .dsw
* .eml
* .fdb
* .frm
* .hlp
* .imb
* .imh
* .imh
* .imm
* .inbox
* .ini
* .jsp
* .ldb
* .ldif
* .log
* .mbx
* .mda
* .mdb
* .mde
* .mdw
* .mdx
* .mht
* .mmf
* .msg
* .nab
* .nch
* .nfo
* .nsf
* .nws
* .ods
* .oft
* .php
* .phtm
* .pl
* .pmr
* .pp
* .ppt
* .pst
* .rtf
* .shtml
* .slk
* .sln
* .stm
* .tbb
* .txt
* .uin
* .vap
* .vbs
* .vcf
* .wab
* .wsh
* .xhtml
* .xls
* .xml
The worm avoids sending itself to email addresses containing the following strings: * -dav
* .dial.
* .kundenserver.
* .ppp.
* .qmail@
* .sul.t-
* @arin
* @avp
* @ca.
* @example.
* @foo.
* @from.
* @gmetref
* @iana
* @ikarus.
* @kaspers
* @messagelab
* @nai.
* @panda
* @smtp.
* @sophos
* @www
* abuse
* announce
* antivir
* anyone
* anywhere
* bellcore.
* bitdefender
* clock
* detection
* domain.
* emsisoft
* ewido.
* free-av
* freeav
* ftp.
* gold-certs
* google
* host.
* icrosoft.
* ipt.aol
* law2
* linux
* mailer-daemon
* mozilla
* mustermann@
* nlpmail01.
* noreply
* nothing
* ntp-
* ntp.
* ntp@
* office
* password
* postmas
* reciver@
* secure
* service
* smtp-
* somebody
* someone
* spybot
* sql.
* subscribe
* support
* t-dialin
* t-ipconnect
* test@
* time
* user@
* variabel
* verizon.
* viren
* virus
* whatever@
* whoever@
* winrar
* winzip
* you@
* yourname
8. Attempts to send a copy of itself to the email addresses gathered. The email may be in either English or German, and has the following characteristics:
German:
From: [SPOOFED]
Subject: One of the following:
* Ihr Passwort
* Account Information
* SMTP Mail gescheitert
* Mailzustellung wurde unterbrochen
* Ermittlungsverfahren wurde eingeleitet
* Sie besitzen Raubkopien
* RTL: Wer wird Millionaer
* Sehr geehrter Ebay-Kunde
Message: One of the following:
* Bei uns wurde ein neues Benutzerkonto mit dem Namen beantragt.
Um das Konto einzurichten, benoetigen wir eine Bestaetigung, dass die bei der Anmeldung angegebene e-Mail-Adresse stimmt.
Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang an uns zurueck.
Wir richten Ihr Benutzerkonto gleich nach Einlangen der Bestaetigung ein und verstaendigen Sie dann per e-Mail, sobald Sie Ihr Konto benutzen koennen.
Vielen Dank,
Ihr Ebay-Team
* Aktenzeichen NR.:#
(siehe Anhang)
Hochachtungsvoll
i.A. Juergen Stock
--- Bundeskriminalamt BKA
--- Referat LS 2
--- 65173 Wiesbaden
--- Tel.: +49 (0)611 - 55 - 12331 oder
--- Tel.: +49 (0)611 - 55 - 0
* Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
Sie sitzen demnaechst bei Guenther Jauch im Studio!
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
+++ RTL interactive GmbH
+++ Geschaeftsfuehrung: Dr. Constantin Lange
+++ Am Coloneum 1
+++ 50829 Koeln
+++ Fon: +49(0) 221-780 0 oder
+++ Fon: +49 (0) 180 5 44 66 99
Attachment: One of the following:
* [STRING 1].zip
* [STRING 1]-TextInfo.zip
* Email.zip
* Email_text.zip
* [STRING 2].zip
* Akte[STRING 2].zip
* [STRING 3].zip
* [STRING 3]_Text.zip
* Ebay.zip
* Ebay-User_RegC.zip
where the variable [STRING 1] is one of the following strings:
* Service
* Webmaster
* Postman
* Info
* Hostmaster
* Postmaster
* Admin
and the variable [STRING 2] is one of the following strings:
* Downloads
* BKA
* Internet
* Post
* Anzeige
* BKA.Bund
and the variable [STRING 3] is one of the following strings:
* Kandidat
* WWM
* Auslosung
* Casting
* Gewinn
* Info
* RTL-Admin
* RTL
* Webmaster
* RTL-TV
English:
From: [SPOOFED]
Subject:
One of the following:
* Your Password
* Registration Confirmation
* smtp mail failed
* Mail delivery failed
* hi, ive a new mail address
* You visit illegal websites
* Your IP was logged
* Paris Hilton & Nicole Richie
Message:
One of the following:
* ***** Go to: http://www.[DOMAIN NAME OF SENDER]
***** Email: postman
* hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa
* Please answer our questions!
Steven Allison
Department Office Admin Mail Post
===dkX XbW6dxPbXWPdSDd@R2XL9)CW9)SRd?kx@?
===dt4OduXRRL062WR)Wd.2XRPX,dKa,dnSS1d4vvy
*** Washington, DC 20535
++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time
* The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!
Please use our Download manager.
Attachment:
One of the following:
* reg_pass.zip
* reg_pass-data.zip
* mail.zip
* mail_body.zip
* mailtext.zip
* list[RANDOM CHARACTERS].zip
* question_list[RANDOM CHARACTERS].zip
* downloadm.zip
The attachment will contain the following file, which is a copy of the worm:
File-packed_dataInfo.exe
Removing manually:
1. First try to remove the worm with the online scanner mentioned below.
2. Shut down the pc, wait 30 seconds and turn power on.
3. Start the pc in "Safe Mode" (By clicking F8 or CTRL while starting pc)
4. Click [start] and then [run]
5. type "cmd" [enter]
6. type "regedit" [enter]
7. You are now in the registry-editor.
Search for registry-keys wich are placed or modified by the worm, as mentioned above.
Delete or setup the default value for every individual key.
8. Exit the registry-editor
9. Re-boot your system
10. Check your system again with the online scanner mentioned below.
11a. Re-install your Antivirus-software if not working properly.
11b. Up-date your AV-software immediately when installed.