Getting Rid of Sober-Y

[ipl_001]

Hi everyone,

As it is spreading in my company these days, I would like to provide you with some information about W32/Sober-Y.

We lost the habit... no need to use HijackThis to get rid of it!
Let's see how!

This post is an addition to Ruby's "Wurm Sober.Y -> Cleaner" ( Wurm Sober.Y -> Cleaner )

Various Names:
Worm/Sober.Y (AntiVir)
Win32:Sober-AB2 (Avast)
I-Worm/Sober.CF (AVG)
Win32.Sober.AD@mm (BitDefender)
Worm.Sober.U (ClamAV)
Win32.Sober.W (CA)
W32/Sober.Z@mm (F-Prot)
Sober.Y (F-Secure)
Worm.Win32.Sober.y (Kaspersky)
W32/Sober@MM!M681 (McAfee)
Win32/Sober.Y (NOD32)
W32/Sober.AA@mm (Norman)
W32/Sober.AH.worm (Panda Software)
W32.Sober.X@mm (Symantec)
WORM_SOBER.AG (Trend Micro)

Systems Concerned: Any Windows version

How to recognize it:
Technically speaking, it creates a folder C:\Windows\WinSecurity with 13 to 19 files including 3 tricky files as they have the name of system files
- services.exe
- smss.exe
- csrss.exe
All of them have a size 55 KB (all of them are a copy of the virus).
(of course, replace Windows by WinNT if you are running W2K)

How to quickly get rid of Sober-Y?

(of course, replace Windows by WinNT if you are running W2K)
- download Sober Removal Tool of Symantec ( http://securityresponse.symantec.com...ter/FixSbr.exe ) and save it to the desktop
- download Stinger of McAfee ( http://vil.nai.com/vil/stinger/ ) and save it to the desktop
- run both tools and let them do their jobs
- it will last at least 20 minutes
- Sober Removal Tool will create a report FixSobr.log on the desktop
- ask Stinger for a report stng259.txt on the desktop
- both tools are necessary as each of them will find some infected files
- delete the empty folder C:\Windows\WinSecurity
- you can save time deleting useless files before launching the tools (it's a waste of time to scan temporary files) but personally, I like to get a message saying files were caught and deleted!
- this post is an addition to Ruby's "Wurm Sober.Y -> Cleaner" ( Wurm Sober.Y -> Cleaner )

Example of today's fight:

Symantec W32.Sober Removal Tool 1.7.1
process: services.exe (terminated)
process: smss.exe (terminated)
process: csrss.exe (terminated)

C:\Program Files\Symantec\LiveUpdate\LUALL.EXE: (deleted)
C:\WINDOWS\WinSecurity\csrss.exe: (deleted)
C:\WINDOWS\WinSecurity\services.exe: (deleted)
C:\WINDOWS\WinSecurity\smss.exe: (deleted)
C:\WINDOWS\system32\bbvmwxxf.hml: (deleted)
C:\WINDOWS\system32\rubezahl.rub: (deleted)
C:\WINDOWS\system32\runstop.rst: (deleted)
C:\WINDOWS\WinSecurity\socket1.ifo: (deleted)
C:\WINDOWS\WinSecurity\socket2.ifo: (deleted)
C:\WINDOWS\WinSecurity\socket3.ifo: (deleted)
C:\WINDOWS\WinSecurity\mssock1.dli: (deleted)
C:\WINDOWS\WinSecurity\mssock2.dli: (deleted)
C:\WINDOWS\WinSecurity\mssock3.dli: (deleted)
C:\WINDOWS\WinSecurity\winmem1.ory: (deleted)
C:\WINDOWS\WinSecurity\winmem2.ory: (deleted)
C:\WINDOWS\WinSecurity\winmem3.ory: (deleted)
C:\WINDOWS\WinSecurity\starter.run: (deleted)
C:\WINDOWS\system32\filesms.fms: (deleted)
registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run: Windows (value deleted)
registry: HKEY_USERS\S-1-5-21-654596449-1070081414-310601177-2598\Software\Microsoft\Windows\CurrentVersion\Run: _Windows (value deleted)


W32.Sober[B-G, I, L, N, O, Q, V, W, X] has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 31736
The number of deleted threat files: 18
The number of threat processes terminated: 3
The number of registry entries fixed: 2

McAfee AVERT Stinger Version 2.5.9 built on Nov 22 2005

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Nov 22 2005.

Ready to scan for 54 viruses, trojans and variants.



Scan initiated on Wed Dec 21 18:01:34 2005

C:\Documents and Settings\GERMAIN_R\Local Settings\Temp\notesE1EF34\mail_body.zip\FILE-PACKED_DATAINFO.EXE

Found the W32/Sober@MM!M681 virus !!!

C:\Documents and Settings\GERMAIN_R\Local Settings\Temp\notesE1EF34\mail_body.zip could not be repaired.

Number of clean files: 132634

Number of infected files: 1

You will notice:
- an infected file in the very middle of Symantec's folder (LOL)
- the usual RUNxxx registry keys!

[ipl_001]

Hi everyone,

I herunder copy a post by amvinfe, Italian moderator on Gladiator: "Sober.Y reminder" -> http://gladiator-antivirus.com/forum/index...showtopic=31018

Just to remind you, Sober.Y update phase starts on 6th day. This means that all machines infected by Sober.Y try to download and execute code from certain addresses. If you want block these addresses at your firewall, here is the list again. The actual filename is left intentionally out from the addresses.

The most likely set of download URLs is:

people.freenet.de/zmnjgmomgbdz/
people.freenet.de/smtmeihf/
people.freenet.de/qisezhin/
people.freenet.de/fseqepagqfphv/
people.freenet.de/urfiqileuq/
people.freenet.de/wjpropqmlpohj/
people.freenet.de/mclvompycem/
scifi.pages.at/zzzvmkituktgr/
.....


F-Secure