CNET Security Center: Your complete source of antivirus and Internet security information.

QUICK FACTS

Name: Sober.t (w32.sobert.t@mm), Sober.u (w32.sober.u@mm), and Sober.v (w32.sober.v@mm)

What it does: Mass mailing viruses that collect e-mail addresses, possibly for later spam distribution

Means of transmission: E-mail in either English or German

How to recognize: E-mail messages regarding registration or Excel tables, with attachments

Who is at risk: Windows users

How it works
These Sober variants (released within 12 hours of each other) all spread by e-mail in either English or German to collect e-mail addresses for possible spam distribution.

Sober.t arrives with the following English language e-mail

Subject: Registration Confirmation
Body: Thanks for your registration.
Your data are saved in the zipped Word.doc file!

Attachment: registration.zip (containing the file: Word-Text_packedList.exe)

In German, the e-mail is:

Subject: Haben Sie diese EMail verschickt?
Body: Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen sie zu erstatten! Sie spinnen ja wohl! Die E-Mmailhat meine Tochter gelesen!!!!!!
Ich habe Ihnen diese Word-Text Datei zu meiner Entlastung zurueckgeschickt. Es waere von Vorteil, wenn Sie sich dazu aeussern wuerden!!

Attachment: Word-Text.zip (containing the file: Word-Text_packedList.exe)

According to McAfee, when Sober.t is executed, the following files are created:

Path: \ConnectionStatus\Microsoft\
concon.www (containing harvested E-mail addresses)
services.exe (containing W32/Sober.t@MM)

Path: \System32\
bbvmwxf.hml (empty file)
gdfjgthv.cvq (empty file)
runstop.rst (empty file)
rubezahl.rub (empty file)
nonrunso.ber (empty file)
langeinf.lin (empty file)

The empty files are used to detect the presence of other Sober infection, according to McAfee. Sober t also adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\[space]WinCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\_WinCheck

Sober.u arrives with the following in English:

Subject: Thanks for your registration
Body: Thanks for your registration!
We have received your payment.

For more detailed information, read the attached text.

Attachment: reg_text.zip (containing the file reg-list-dat_packer2.exe)

In German:

Subject: Hi, Ich bin's
Body: Hier ist die Liste die du haben wolltest.
Du solltest dich aber auch eintragen!
OK, bis dann

Attachment: Liste.zip (containing the file reg-list-dat_packer2.exe)

According to McAfee, when executed, Sober.u displays a fake error message, and the following files are added:

C:\WINDOWS\ConnectionStatus\Microsoft\concon.www
C:\WINDOWS\ConnectionStatus\Microsoft\services.exe
C:\WINDOWS\system32\bbvmwxxf.hml
C:\WINDOWS\system32\gdfjgthv.cvq
C:\WINDOWS\system32\langeinf.lin
C:\WINDOWS\system32\nonrunso.ber
C:\WINDOWS\system32\rubezahl.rub
C:\WINDOWS\system32\runstop.rst
The following registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "_WinCheck" = C:\WINDOWS\ConnectionStatus\Microsoft\services.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run " WinCheck" = C:\WINDOWS\ConnectionStatus\Microsoft\services.exe

And, finally, Sober.v arrives with following messages:

Subject: Your email
Body: Hello,
Sorry, sorry sorry, because,, my English is not the best!
ok, I've got an email with an Excel-Table. But I am not the recipient, the recipient are you!
I think, it's an mail error!
OK, here is your table back!
cya....

Attachment: excel_table.zip (containing exceltab-packed_list.exe ) And in German:

Subject: Ihre eMail!
Body: Guten Tag,
jemand schickte mir eine Mail mit einer Excel oder Access Tabelle (kenne mich da nicht so aus!).
Jedenfalls ist diese Mail aber an ihre Mail Adresse adressiert, aber zu meiner gekommen??? Ist wohl irgendein Fehler.

Ok, hier haben Sie sie wieder zurueck! gruss

Attachment: excel_table.zip (containing exceltab-packed_list.exe )

According to McAfee, the following folders are created:

C:\Winnt\ConnectionStatus
C:\Winnt\ConnectionStatus\Microsoft

The following files are added:

C:\Winnt\ConnectionStatus\Microsoft\concon.www
C:\Winnt\ConnectionStatus\Microsoft\services.exe
C:\Winnt\system32\bbvmwxxf.hml
C:\Winnt\system32\gdfjgthv.cvq
C:\Winnt\system32\langeinf.lin
C:\Winnt\system32\nonrunso.ber
C:\Winnt\system32\rubezahl.rub
C:\Winnt\system32\runstop.rst

Registry run keys are created to run the main worm component at system start-up:

Hkey_Local_Machine\Software\Microsoft\Windows\ CurrentVersion\Run " WinCheck" C:\Winnt\ConnectionStatus\Microsoft\services.exe

McAfee also notes that in addition to using the standard e-mail port 25, Sober.v uses port 587 to connect to certain Yahoo-based servers.

Prevention
Beware of e-mail attachments, especially those containing the messages above. Do not open the attached files.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information about Sober.t, see F-Secure, McAfee, and Symantec (as Sober.s).

For more information on Sober.u, see Computer Associates (as Sober.r), and McAfee.

For more information on Sober.v, see McAfee.