What appears to be yet another Microsoft security patch for the MyDoom worm is actually a computer virus. Sober.d (w32.sober.d@mm, also known as Roca.a) is the fourth member of the Sober mass-mailing virus family written in Visual Basic, and it exists only to send e-mail in either German or English. Users of Linux, the Mac OS, and Unix are not affected. Because Sober.d spreads via e-mail and does no other damage, this worm rates a 4 on the ZDNet Virus Meter.
How it works
Sober.d arrives as e-mail pretending to be from Microsoft with a patch for the MyDoom worm. Microsoft does not e-mail its customers with new patch information. The subject line could be in either German or English, with random letters or words in some variation of "new Microsoft security patch." The body text, also in German or English, reads:
"New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.
"Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19 com"
The attached file is either an EXE or a ZIP file with one of the following names:
sys-patch
MS-UD
MS-Security
Patch
Update
MS-Q
Once executed, Sober.d copies files into the C:\winnt\system32 or C:\windows\system32 directory folder:
mslogs32.dll (a copy of e-mail addresses found)
humgly.lkur (empty)
temp32x.data (46,244 bytes, Base-64 encoded copy of the worm)
wintmpx33.dat (46,426 bytes, Base-64 encoded ZIP containing the worm)
yfjq.yqwm (empty)
zmndpgwf.kxx (empty)
In order for the virus to run every time the infected machine is rebooted, the virus adds the following to the system Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run\disc32data "spool32" = %SYSDIR%\diagwinhost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce "diagdir" = %SYSDIR%\diagwinhost.exe %1
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Panda, Sophos, Symantec, and Trend Micro.
4%
4%
