Threat Advisory: McAfee AVERT raises risk assessment to medium on new W32/Sober.K@MM virus

<p>McAfee AVERT Raises Risk Assessment Based on Prevalence</p>
<p>SYDNEY, February 1, 2005 — McAfee, Inc., the pioneer and worldwide leader of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to Medium on the recently discovered 32/Sober.k@MM, also known as Sober.k. Sober.k is a prolific worm that spreads via email, sending itself to addresses found on the victim’s machine. The worm arrives as a .zip file attached to e-mail and has many of the same functionalities as its W32/Sober.j@MM predecessor. The worm was first reported to McAfee AVERT researchers last night GMT and to date, McAfee AVERT has received more than 50 reports of the virus in the wild.</p>
<p>Threat Overview</p>
<p>Sober.k is a mass mailing threat that contains its own SMTP engine to construct outgoing messages, which are written in German or English. It harvests addresses from local files and then uses the harvested addresses to send itself. This produces a message with a spoofed From address. The attachment comes in the form of a .zip file that contains an executable file inside. The filename contains a dual extension with the first extension being .TXT, followed by many spaces and the second extension .PIF.</p>
<p>Users would need to manually extract the executable from the .zip file and manually run the attachment in order to be infected. There’s no exploit launching the executable automatically.</p>
<p>German Version:</p>
<p>From: (address is spoofed)
Subject: Ey du DOOF Nase, warum beantw...</p>
<p>Message Body: The message body will be one of the following:</p>
<p>Warum beantwortest Du meine E-Mails nicht?</p>
<p>Kommen meine Mails nicht mehr bei dir an oder so???</p>
<p>Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!</p>
<p>Ich hoffe mal, das sie jetzt zu dir durch dringen wird.</p>
<p>In meinen anderen Mails habe ich einige Wichtige Dinge niedergeschrieben, hatte aber keine Lust alles nochmal zu schreiben.</p>
<p>Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit Winzip klei ner gemacht.</p>
<p>Lesen und diesmal auch bescheid geben!!!!</p>
<p>tschau.....</p>
<p>Attachment: Texte.zip</p>
<p>English Version:</p>
<p>Subject: I've got YOUR email on my account!!</p>
<p>Body:</p>
<p>Hello,</p>
<p>First, Sorry for my very bad English!</p>
<p>Someone send your private mails on my email account!</p>
<p>I think it's an Mail-Provider or SMTP error.</p>
<p>Normally, I delete such emails immediately, but in the mail-text is a name &amp; ad ress. I think it's your name and adress.</p>
<p>In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol OK,</p>
<p>I've copied all email text in the Windows Text-Editor and i've zipped the t ext file with WinZip. The sender of this mails is in the text file, too.</p>
<p>bye</p>
<p>Attachment:</p>
<p>EMAIL_TEXT.ZIP or
TEXT.ZIP
The ZIP archive contains a copy of the worm with the following filename:</p>
<p>MAIL_TEXT-INFO.TXT (many spaces) .PIF</p>
<p>The importance of the mail is set to "High" (this will only have an effect for certain mail clients).</p>
<p>Threat Pathology</p>
<p>After being executed, Sober.k copies itself into the Windows System directory</p>
<p>using a constructed name from a pool of strings and thus is variable, for example:</p>
<p>C:\WINDOWS\SYSTEM32\SYSSPOOLDISC.EXE</p>
<p>It also creates other files in this directory to perform its functions:</p>
<p>DATAMX.DAM (contains harvested email addresses)
DGSFZIPP.GMX (59.504 bytes, copy of the worm in a ZIP and base64 encoded)</p>
<p>Additionally the following 0 byte files are dropped:</p>
<p>dgssxy.yoi (0 bytes)
nonrunso.ber (0 bytes)
Odin-Anon.Ger (0 bytes)
sysmms32.lla (0 bytes)</p>
<p>The following Registry keys are added to hook system startup:</p>
<p>HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Run "adisccrypt" = %SYSDIR%\sysspooldisc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run " dircryptlog" = %SYSDIR%\sysspooldisc.exe
(where %SYSDIR% is C:\Windows\System32 or C:\Winnt\System32)</p>
<p>And also note that the mentioned filenames are constructed from a pool of strings and are thus variable.</p>
<p>System Protection and Cure</p>
<p>More information on Sober.k and cure for this worm can be found online at the McAfee AVERT site located at http://vil.mcafeesecurity.com/vil/content/v_131355.htm. McAfee AVERT is advising its customers to update to the 4424 DATs to stay protected from this variant of the threat.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organisations in the world, employing researchers in fourteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield and McAfee Entercept organisations, two research arms that were acquired through IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About McAfee, Inc.</p>
<p>McAfee, Inc. (NYSE: MFE), headquartered in Santa Clara, Calif., creates best-of-breed intrusion prevention and risk management solutions. McAfee’s market-leading security products and services help large, medium and small businesses, government agencies, and consumers prevent intrusions on networks and protect computer systems from critical threats. Additionally, through the Foundstone Professional Services division, leading security consultants provide security expertise and best practices for organisations. For more information, McAfee, Inc. can be reached on the Internet at http://www.mcafee.com/.</p>
<p># # #</p>
<p>NOTE: McAfee, AVERT, IntruShield, Entercept and Foundstone are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The colour Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. ©2005 McAfee, Inc. All Rights Reserved.</p>
<p>For further information, please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>Mobile: +61 (0)417 259 054</p>
<p>E-mail: natalie.connor@text100.com.au</p>

• Got more on this story? Email Computerworld
• Follow Computerworld on twitter