MoMusings

I know I’ve been quiet over the last few weeks, this is due to the large quantities of new malware I have been trapping, writing papers, presentations and presenting at an international conference; EICAR 2005 in Malta at the beginning of May and the upcoming Virus Bulletin conference in Dublin later this year.

Anyway, enough excuses!

Well, I suspect that over the weekend, and so far this week you have been seeing a fair number of political spam e-mails in both German and English that [in most cases] contain little more than a single line of text and a link [or multiple links] to political news sites/coverage. This political spam seems to be mostly related to right-wing [Nazi/Neo-Nazi] politics.

The interesting thing is this in not ‘normal’ SPAM, it is in fact being generated by systems infected by an e-mail worm, known as Sober.q, which is downloaded from a number of sites automatically on systems already infected by the Sober.p worm.

Sober.q is written in Visual Basic, packed using UPX [to try and obfuscate the content and make a virus scanners job harder], has its own SMTP engine and does not replicate. So in many ways it should be considered more of a Trojan than a worm. Like previous malware is will also install itself in the registry to ensure that it gets loaded when the system starts. Furthermore it will try and terminate a number of security tools, including Microsoft Anti-Spyware [formerly GIANT], HijackThis and NOD32.

If that is not annoying enough, it will also try and disable Windows Update and the XP Firewall by changing registry key entries that control their behaviour.

However, unlike many bots that are out there, Sober.q [which is not a bot] is not acting as a spam proxy; all spam generated by Sober.q originates on the infected system, rather than being routed through it by spammers who rent out the spam proxies that get installed by bots.

On installation Sober.q drops a file named Spammer.Readme that contains a link and the following text:

Ich bin immer noch kein Spammer!Aber sollte vielleicht einer werden In diesem Sinne

This is basically a message to the Anti-virus companies stating “I’m not a spammer, although I might become a one!”.

So, what do the spam e-mail that this Trojan generates look like?

Well, I’m not going to show them all, but here is one example:

Lese selbst:
http://www.[replaced].de/npd_info/deutschland/2005/d0305-14.html

Jetzt weiss man auch, wie es dazu kommt, dass Drogen, Waffen & Handy’s in die Haende der Knacki’s gelangen!

Below is a list of 30 of the subject lines I’ve seen so far:

4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
60 Jahre Befreiung: Wer feiert mit?
Armenian Genocide Plagues Ankara 90 Years On
Auf Streife durch den Berliner Wedding
Augen auf
Auslaender bevorzugt
Auslaenderpolitik
Blutige Selbstjustiz
Deutsche Buerger trauen sich nicht …
Deutsche werden kuenftig beim Arzt abgezockt
Dresden 1945
Dresden Bombing Is To Be Regretted Enormously
Du wirst ausspioniert ….!
Du wirst zum Sklaven gemacht!!!
Gegen das Vergessen
Graeberschaendung auf bundesdeutsche Anordnung
Hier sind wir Lehrer die einzigen Auslaender
Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
Multi-Kulturell = Multi-Kriminell
Paranoider Deutschenmoerder kommt in Psychiatrie
S.O.S. Kiez! Polizei schlaegt Alarm
Schily ueber Deutschland
The Whore Lived Like a German
Transparenz ist das Mindeste
Trotz Stellenabbau
Tuerkei in die EU
Turkish Tabloid Enrages Germany with Nazi Comparisons
Verbrechen der deutschen Frau
Volk wird nur zum zahlen gebraucht!
Vorbildliche Aktion


So, the e-mails that are generated and sent by Sober.q infected systems are non-viral; they have no attachment, they cannot [currently] infect a system. The risk they pose is minimal, mainly clogging up mail servers, causing confusion; due to forged e-mail addresses and spreading information related to right-wing politics. What do you do with them? Send them to the great digital ‘bit-bucket’ [delete them].

As a final note: Sober.q looks for a file named ‘bbvmwxxf.hml’ in the Windows System folder. If it finds it Sober.q will not install itself on the system, however the system is still infected by Sober.p!

Links:

Email-Worm.Win32.Sober.q [Kaspersky]
WORM_SOBER.U [TREND]
Sober.q [F-Secure]

Right, just another few hundred new samples to investigate and a conference paper to finish, on top of my usual workload…