Bilingual worm Sober.q causing headaches for European users

16 May 2005
Virus News

Kaspersky Lab, a leading developer of secure content management solutions, has detected a new version of Sober, Email-Worm.Win32.Sober.q. It was downloaded to machines which had been infected by Sober.p, and is a modification of the Sober source code. However it is unable to replicate, but instead sends right wing spam to addresses found on the victim machine.

Sober.q copies itself to the Windows system directory, and changes the system registry so that the worm will be activated each time Windows is rebooted on the victim machine. It also drops a number of other files to the infected system. Sober.q harvests email addresses from the infected computer, saves these addresses, and then sends spam messages to the addresses harvested, except for addresses which appear to belong to antivirus vendors and software developers.

The worm also drops a file which contains a message from the author: “Ich bin immer noch kein Spammer! Aber sollte vielleicht einer werden :) In diesem Sinne“ [I'm not a spammer yet! But maybe I'll become one : )] This file also contains links to articles published on the Internet stating that Sober is being used to create botnets - networks of infected machines, which can then be used to send spam.

Rather than replicating, Sober.q sends spam in both German and English. German language messages are sent to recipients in .de, .ch, .at, .li, and .gmx domains. The messages contain right wing texts, and links to right wing sites. All other recipients receive messages in English - however, the contents are still politically right wing. The worm contains several dozen possible message versions. Although the sites contain material which may be offensive to readers, all the addresses are genuine, and there is no malware on these sites which could infect a machine being used to view the sites.

Similar to previous version of Sober, Sober.q connects to a number of NTP servers and monitors the system time and date on the infected machine. Once the system date passes 11th May, Sober.q will attempt to terminate a number of processes (microsoftanti, gcas, gcip, giantanti, inetupd, nod32kui, nod32, fxsob, s-t-i-n-g, hijack, sober ) which will make it harder to remove the worm.

Kaspersky Anti-Virus databases were updated with protection against Sober.q shortly after the new worm was detected. A full description Sober.q is available here.