This time the author of Sober worm changed the text string that is used to decrypt data strings in the worm's body, but he did not change the encryption algorithm.

Installation to System

Just after being run by a user the worm shows a fake error messagebox:

Then it creates a subfolder named 'WinSecurity' in Windows folder and copies itself there 3 times with the following names:

 services.exe
 csrss.exe
 smss.exe

In addition the worm creates the following files in the same folder:

 mssock1.dli
 mssock2.dli
 mssock3.dli
 winmem1.ory
 winmem2.ory
 winmem3.ory
 socket1.ifo
 socket2.ifo
 socket3.ifo

The first 6 files are used to store collected e-mail addresses, the last 3 files are used to store the UUEncoded worm's body.

The worm then adds startup keys for the copied "services.exe" file into System Registry:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 " Windows" = "%WinDir%\WinSecurity\services.exe"

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "_Windows" = "%WinDir%\WinSecurity\services.exe"

The Sober.Y worm creates a few empty files in Windows System folder with the following names:

 nonrunso.ber
 langeinf.lin
 runstop.rst
 rubezahl.rub
 bbvmwxxf.hml
 filesms.fms

These files are used to deactivate previous Sober variants. The worm blocks access to its files and re-creates its startup keys in the Registry if they are deleted.

Spreading in E-mails

Sober.T worm sends e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

To collect e-mail addresses the worm scans files with the following extensions:

 pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms
 nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc
 pst cfg mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw
 mde frm bas adr cls ini ldif log mdb xml wsh tbb abx
 abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp
 mht nfo php asp shtml dbx

The collected e-mail addresses are stored in "mssock*.dli" and "winmem*.ory" files that are created in the same folder where the main worm's executable file is located.

The worm ignores e-mail addresses if they contain any of the following strings:

 ntp- ntp@ ntp. test@ @www @from. support smtp- @smtp.
 gold-certs ftp. .dial. .ppp. anyone subscribe announce
 @gmetref sql. someone nothing you@ user@ reciver@ somebody
 secure whatever@ whoever@ anywhere yourname mustermann@
 .kundenserver. mailer-daemon variabel noreply -dav law2
 .sul.t- .qmail@ t-ipconnect t-dialin ipt.aol time freeav
 @ca. abuse winrar domain. host. viren bitdefender spybot
 detection ewido. emsisoft linux google @foo. winzip
 @example. bellcore. @arin mozilla iana@ iana- @iana @avp
 icrosoft. @sophos @panda @kaspers free-av antivir virus
 verizon. @ikarus. @nai. @messagelab nlpmail01. clock

When the worm sends an e-mail to an address that contains "gmx." domain or has the domain suffix ".de", ".li", ".ch" or ".at", it composes messages in German, otherwise the worm composes messages in English.

It should be noted that along with the "usual" messages that look like fake bounces, password change notification requests, Paris Hilton video ads and so on, the worm sends messages that look like they come from FBI or CIA. The From field of such messages contains any of the following:

 Department@fbi.gov  (also can be Office@, Admin@, Mail@, Post@)
 Department@cia.gov  (also can be Office@, Admin@, Mail@, Post@)

The Subject field contains any of the following:

 You visit illegal websites
 Your IP was logged

The body text is:

 Dear Sir/Madam,

 we have logged your IP-address on more than 30 illegal Websites.

 Important:
 Please answer our questions!
 The list of questions are attached.

 Yours faithfully,
 Steven Allison

 *** Federal Bureau of Investigation -FBI-
 *** 935 Pennsylvania Avenue, NW, Room 3220
 *** Washington, DC 20535
 *** phone: (202) 324-3000

If the worm uses @cia.gov address, the end of the message is different:

 ++++ Central Intelligence Agency -CIA-
 ++++ Office of Public Affairs
 ++++ Washington, D.C. 20505
 ++++ phone: (703) 482-0623
 ++++ 7:00 a.m. to 5:00 p.m., US Eastern time

The attachment names can be:

 question_list.zip
 list.zip

Here's an example of a message sent by the worm:

The worm's executable file is located inside ZIP archives attached to all infected messages. To get infected a user has to extract and run the worm's file.

Payload

Sober.Y worm terminates applications that have the following substrings in their names:

 microsoftanti
 gcas
 gcip
 giantanti
 inetupd.
 nod32kui
 nod32.
 fxsbr
 avwin.
 guardgui.
 aswclnr
 stinger
 hijack
 sober
 brfix
 s_t_i_n
 s-t-i-n

Then the worm shows a messagebox that looks like that:

This trick is done to persuade a user that no infection was detected on his computer by his anti-virus or a virus removal tool.

The worm can also download and run files on an infected computer.

In addition the worm contacts numerous time servers to syncronize its activities.