03/08/04 - Sober.D
This detection is for a mass-mailing worm written in Visual Basic. Similar to its predecessor (W32/Sober.c@MM ) the worm bears the following characteristics:
contains its own SMTP engine
source/target email addresses are harvested from the victim machine
outgoing messages claims to contain a patch by Microsoft (in English and German)
Mail Propagation
Mail Propagation
The worm extracts target email addresses from the victim machine, and writes them to the file MSLOGS32.DLL in %SysDir%.
Outgoing messages are constructed using the worm's own SMTP engine. The messages may be written in either English or German, and the attachment filename can vary. The recipient email address is used in determining the language to use for the message. If it contains any of the following, German is selected:
.de
.ch
.at
.li
@gmx
Email addresses are harvested from files containing the following extensions: log
mdb
tbb
abd
adb
pl
rtf
doc
xls
txt
wab
eml
php
asp
shtml
dbx
ttt
wab
tbb
The email messages claim to be from Microsoft containing a patch for the W32/Mydoom@MM virus. Below are some examples: From: (sender )@microsoft.(country ) where sender is taken from the following list:
Info
Center
UpDate
News
Help
Studio
Alert
Security
And country is taken from the following list: de (for messages in German)
at (for messages in German)
com (for messages in English)
Subject: Varies, and contains random characters. For German and English messages respectively, the subject line starts: Microsoft Alarm: Bitte Lessen!
Microsoft Alert: Please Read!
Body: (German version)
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorg
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner! Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.
Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Sch
+++
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943
(English version)
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.
Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19 com Attachment: Either a .EXE or .ZIP, with varying filename. The EXE filename is constructed from a name and a random number component (optional). The name is chosen from the following list:
sys-patch
MS-UD
MS-Security
Patch
Update
MS-Q
The random number may be 5 or 10 digits long. For example: MS-UD89021.EXE
MS-Q4532364791.EXE
If mailed within a ZIP file, initial analysis suggests the worm uses the following filename within the ZIP: MS-Q(10-digits).EXE
The virus does not mail itself to email addresses containing any of the following strings: @arin
@avp
@foo.
@iana
@ikarus.
@kaspers
@messagelab
@msn.
@nai.
@ntp.
@panda
@sophos
abuse
admin
antivir
bitdefender
clock
detection
domain.
emsisoft
ewido.
free-av
google
host.
hotmail
info@
linux
microsoft.
mozilla
ntp-
ntp@
office
password
postmas
redaktion
service
spybot
support
symant
t-online
time
variabel
verizon.
viren
virus
winrar
winzip
Removal Instructions
Go to the following website for removal instructions:
http://vil.nai.com/vil/content/v_101081.htm Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger
More info on this worm:
http://vil.nai.com/vil/content/v_101081.htm
|
