Weekly Virus Report – Sober, Wincap and Duster Worms

This week’s report will focus on the B variants of three malicious code: Sober, Wincap and Duster.

Sober.B is a worm that spreads via e-mail in a message written in English or German. This worm sends itself out to all the addresses it finds using its own SMTP engine and validates itself on the mail servers from which it sends itself out under the name ‘MailerVB.de’.

When Sober.B has infected a computer, it creates two copies of itself, which stay resident in memory. This worm checks if both copies are running, and if one of the processes has terminated, or if one of the files has been deleted, the other copy will regenerate it.

The second malicious code, Duster.B, is a virus with the characteristics of a worm that spreads through the P2P file sharing program KaZaA and across network shares. It does this following the routines below:

– Through KaZaA

Duster.B looks for the default shared folder of this file sharing program. If this folder is not shared, it modifies an entry in the Windows Registry in order to share it. Then, it infects all the PE files it finds in the shared folder by adding its code to the beginning of them. When other users access these files remotely, they will download the files infected by Duster.B, thinking that they are useful computer programs, images, etc. However, when they run the downloaded file, their computers will also be infected by Duster.B.

– Across network shares.

Duster.B checks if the infected computer belongs to a network and if it is, it tries to copy the file DUST.EXE to all the network computers and creates a file called AUTOEXEC.BAT on each one. The aim of this file is to run the virus every time the computer is started.

Duster.B connects to the IP address 208.178.231.190, which belongs to an IRC server, through port 6667. After it has done this, it waits for control commands like download and run files.

We are going to finish this week’s report with Wincap.B, a Trojan that contains a list of web addresses belonging to online financial entities, among others. When the user accesses any of these websites, this malicious code tries to capture the passwords used and saves them in a file that it will compress and send to a hacker via e-mail.