Email-Worm.Win32.Sober.c

Jest to robak rozprzestrzeniaj膮cy si臋 przez internet jako za艂膮cznik zainfekowanych wiadomo艣ci e-mail. Ma posta膰 pliku PE EXE o rozmiarze oko艂o 73 KB (kompresja UPX, rozmiar po rozpakowaniu - oko艂o 260 KB). Rozmiar pliku robaka mo偶e si臋 zmienia膰 podczas instalacji.

Zainfekowane wiadomo艣ci mog膮 posiada膰 r贸偶ne tematy, tre艣ci oraz nazwy za艂膮cznik贸w. Plik robaka mo偶e posiada膰 nast臋puj膮ce rozszerzenia:

  • bat
  • cmd
  • pif
  • scr
  • exe
  • com

Przyk艂ad zainfekowanej wiadomo艣ci e-mail:

  • Temat:
    why me?
  • Tre艣膰:
    You say in the www. that i'm a terrorist!!!
    No way out for you. I REPORT YOU !
    You've said THAT about me
  • Nazwa za艂膮cznika:

    terror-list.com

Robak aktywuje si臋 z zainfekowanej wiadomo艣ci tylko wtedy, gdy u偶ytkownik uruchomi za艂膮cznik.

Instalacja

Robak umieszcza trzy w艂asne kopie (z losowymi nazwami) w folderze systemowym Windows i tworzy klucze auto-run w rejestrze systemowym:

  • [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
    "(nazwa losowa)" = "%System%(nazwa_kopii_robaka.exe)"
  • [HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
    "(nazwa losowa)" = "%System%(nazwa_kopii_robaka.exe)"

Po zako艅czeniu instalacji robak wy艣wietla na ekranie fa艂szywy komunikat o b艂臋dzie.

Rozprzestrzenianie

Robak szuka na dysku plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:

  • htt
  • rtf
  • doc
  • xls
  • ini
  • mdb
  • txt
  • htm
  • html
  • wab
  • pst
  • fdb
  • cfg
  • ldb
  • eml
  • abc
  • ldif
  • nab
  • adp
  • mdw
  • mda
  • mde
  • ade
  • sln
  • dsw
  • dsp
  • vap
  • php
  • asp
  • shtml
  • shtm

i skanuje je pod k膮tem obecno艣ci adres贸w e-mail, pod kt贸re rozsy艂ane b臋d膮 zainfekowane wiadomo艣ci. Szkodnik wykorzystuje w艂asny silnik SMTP.

Oto przyk艂adowe tematy zainfekowanych wiadomo艣ci:

  • Sorry, that's your mail
  • hi, its me
  • Thank You very very much
  • you are an idiot
  • why me?
  • I hate you
  • Preliminary investigation were started
  • Your IP was logged
  • You use illegal File Sharing ...
  • A Trojan horse is on your PC
  • a trojan is on your computer!
  • Anime, Pokemon, Manga, ...
  • Registration confirmation
  • registration confirmation
  • Sorry, that's your mail
  • hi, its me
  • Thank You very very much
  • you are an idiot
  • why me?
  • I hate you
  • Preliminary investigation were started
  • Your IP was logged
  • You use illegal File Sharing ...
  • A Trojan horse is on your PC
  • a trojan is on your computer!
  • Anime, Pokemon, Manga, ...
  • Registration confirmation
  • registration confirmation

Tre艣膰 wiadomo艣ci wybierana jest spo艣r贸d nast臋puj膮cych mo偶liwo艣ci:

  • i'm very very sorry, anybody have 
    sent your mail to my address.
  • sorry for my bad english, 
    I am a Swede!
  • excuse for my bad english, 
    but I'm a Dutchman
  • I've got your mail, but its came 
    on my mail address??? i've read this mail
    ,,, sorry about that excuse for my bad 
    english, but I'm a Dutchman
    I don't know how to start this! I'm dull,, 
    can you test!?
    Here, the DigiCam photos. A few are 
    overexposed.
    That you've killed this bastard. 
    Your reward:
    That you have paid for me! 
    And that's your 
  • Caution: To all gamers A new worm 
    spread via online gaming! You must change 
    your internet configuration!! see: 
    www.onlinegamerspro-worm.com set_config.
  • Attention: To all gamers
    More than 75.000 freeware games!!! 
    Genre: -> 8500 online games = 3D
    Shooter, RPG, Action, Adventure, ... 
    non online games: -> Action = 4200
    games -> 3D Shooter's = 7500 games -> 
    RPG's = 6800 games -> Adventure's =
    5400 games -> ROM's for NES, SNES, 
    PS1&2, GC ,GB, MD, SMS, .. = 29.000
    ROM's - others = 16900 games all free!! 
    Download and enjoy downloader.exe
    www.freegames4you-gzone.com
    I-Worm.Sober
  • You say in the www. that i'm 
    a terrorist!!! No way out for you. 
    I REPORT YOU ! 
    You've said THAT about me
  • Thanks for your registration. 
    ( We say Sorry again, the first mail was 
    delivered to an unknown mail address. 
    This was a bug in our mailing system! ) 
    The amount of 239.- USD was deducted by 
    your xxx Welcome, you can now visit more 
    than 1200 very very hot web pages! 
    Your registration, pages and passwords are 
    xxx in the attachment. 
  • I said, I love you..,, and you 
    said NOTHING. And now,,, Go Away From Me 
    Here are my love-letter((s)) mock me mock 
    me again and again . 
    Enjoy it. blablabla GO!
  • You get the charge in writing, 
    in the next days. In the next days you 
    will receive the charge in writing.
    In the next days, you'll get the charge 
    in writing. In the next days, you'll get 
    the charge in writing.
  • Ladies and Gentlemen, Downloading 
    of Movies, MP3s and Software is illegal
    and punishable by law. We hereby inform 
    you that your computer was scanned
    under the IP xxx. The contents of your 
    computer were confiscated as an
    evidence, and you will be indicated. 
    In the next days, you'll get the
    charge in writing. In the Reference 
    code: #xxx, are all files, that we
    found on your computer. The sender 
    address of this mail was masked,
    xxx- You get more detailed information 
    by the Federal Bureau of Investigation 
    -FBI-- Department for Illegal Internet 
    Downloads, Room 7350 - 935 Pennsylvania 
    Avenue - Washington, DC 20535, USA - 
    (202) 324-3000
  • In the next days, you'll get 
    the charge in writing.

Nazwa za艂膮cznika jest generowana losowo.