W32/Sober.D@mm

Analysis

Specifics
This virus is 32 bit with a packed file size of 33,792 bytes. This virus was coded using Visual Basic 6. This virus contains code to send itself by email to others - the email is created in a format which may trick users into running the attachment. The virus runs on the infected system as a randomly named EXE file. Additional files may exist on the infected system, all in the System32 folder -

mslogs32.dll - contains email addresses
temp32x.data - Base64 encoded copy of the virus
wintmpx33.dat - Base64 encoded copy of a ZIP file with the virus enclosed

Other files may be created but contain no content or are zero bytes in length -

Humgly.lkur
yfjq.yqwm
zmndpgwf.kxx
Loading At Windows Startup
If the virus is run, it may display a message box with this content, where undefinedfilenameundefined is the file name of the virus, minus its extension -

Windows update -undefinedfilenameundefined-
(i) This patch has been successfully installed.

[OK]

The virus will copy itself into the System32 folder as randomly named EXE file. The name is chosen from a table of possible names and made of two parts. These are the possible hard coded names -

sys,host,dir,explorer,win,run,log,32,disc,crypt,data,diag,spool,service,smss32

The virus selects two names from the table to create a name, such as "datacrypt.exe". The virus will then modify the registry to run at Windows startup as in this example -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\crypt\
"hostdiagcrypt" = C:\WINNT\System32\datacrypt.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"syscrypt" = C:\WINNT\System32\datacrypt.exe undefined1

In the above examples, the registry key name was also derived by concatenating selected strings from the table of names.

Email Spreading Routine
The virus will scan the hard drive looking for email addresses - the virus grabs email addresses from files with these extensions -

abd
adb
asp
dbx
doc
eml
ini
log
mdb
php
pl
rtf
shtml
tbb
ttt
txt
wab
xls

Email addresses found are stored as text in a file named "mslogs32.dll". The first line of the text file has the following line prepended, probably as a marker for the virus -

100000?###

where "?" is a number from 0 to 9. Email addresses follow that first line. The virus avoids selecting email addresses which have any of these strings -

@arin
@avp
@foo.
@iana
@ikarus.
@kaspers
@messagelab
@msn.
@nai.
@ntp.
@panda
@sophos
abuse
admin
antivir
clock
detection
domain.
emsisoft
ewido.
free-av
google
hotmail
info@
linux
microsoft.
mozilla
ntp-
ntp@
office
password
postmas
redaktion
service
support
symant
time
t-online
variabel
verizon.
virus
winrar
winzip
Email Creation
The virus will construct an email message with varied subject lines and body text, with a randomly named file attachment - the variations are hard-coded and stored in the virus body. The virus contains two different hard-coded email formats - one in English text, the other in German. The virus uses fuzzy logic in order to determine if a recipient is to receive either the English or the German version of the email.

If the recipient email listed in "mslogs32.dll" contains any of these strings in the domain or domain suffix, the German email content is chosen -

@gmx - German email service provider
at - Austria
ch - Switzerland
de - Germany
li - Lichtenstein

All other email addresses are sent the English version. The "From" address is spoofed, and is chosen from a list of possible names -

Alert
Center
Help
Info
News
Patch
Security
Studio
UpDate

The "From" email address domain is one of these -

@microsoft.at - used for German format emails
@microsoft.de - used for German format emails
@microsoft.com - used for English format emails

An example of a created "From" address could be 'Info@microsoft.de'.

This is the German format of emails created -

Subject: Microsoft Alarm: Bitte Lesen!
Body:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.

Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorgänger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefährlichen Trojaner!
Führende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.

Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schädling zu schützen!

+++ ©2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943

This is the English format of emails created -

Subject: Microsoft Alert: Please Read!
Body:
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.

+++ ©2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19

The virus will attach either a ZIP or an EXE file attachment. The attachment is retrieved from the hard drive as one of these files from the System32 folder -

Temp32x.data - Base64 encoded copy of the virus
wintmpx.dat - Base64 encoded copy of ZIP file with virus enclosed

The file name is created from a table of names and could be any of these -

MS-Security#####
MS-UD#####
sys-patch#####

where "#####" is a random 5 digit number. In some cases, the random number occurs multiple times as in "##########".