Sober.D arrives in an email disguised as a Microsoft fix for the MyDoom worm. The From address will appear to be a Microsoft address, with the sender name derived from one of the following: Info, Center, UpDate, News, Help, Studio, Alert, or Security, and the country suffix derived from either de, ch, at, or il. For example, the falsified address might be 'Info@microsoft.de'.
The Sober.D email carries either a ZIP or EXE attachment. The name of the attachment is derived from a specific list, followed by a random series of 5-10 digits. The text portion of the filename is derived from one of the following: sys-patch, MS-UD, MS-Security, Patch, Update, MS-Q. For example, the attachment name might be sys-patch39842.exe.
The Subject line and message body will be in either English or German as previously described. The English subject line will read:
- Microsoft Alert: Please Read!
The German subject line will read:
- Microsoft Alarm: Bitte Lessen!
The English message body will read:
- New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.
Protection: Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++ 2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19
The German message body will read:
- Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet. Wie seine VorgSnger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen. Zudem installiert er auf infizierten Systemen einen gefShrlichen Trojaner! Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem SchSdling zu schntzen!
+++ 2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943
If the attachment is opened, the Sober.D worm may first display one of the following messages:
- This patch has been successfully installed
-or-
This patch does not need to be installed on this system.
Status: OK
-or-
Microsoft Windows
STOP: 0x80070725 {FatalSystemError}
System File [filename].exe
Connection lost or blocked by Firewall
Sober.D copies itself to the Windows System directory using a random file name composed by joining strings together from the following list: sys, host, dir, explorer, win, run, log, 32, disc, crypt, data, diag, spool, service, and smss32. For example, Sober.D might drop a copy of itself named crypt32.exe.
Sober.D modifies the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
The value added to the above keys will call the dropped copy of the worm so that this copy of the worm is loaded when Windows is started. Additionally, Sober.D drops the following files into the Windows System directory:
- Humgly.lkur
temp32x.data
wintmpx33.dat
yfjq.yqwm
zmndpgwf.kxx
Sober.D harvests email addresses from a wide range of file types found on victims' computers and avoids sending itself to an extensive list of domains.
Also see: