Hostile Data — The Sober.U-3 Worm

The header as received

These come in from infected home PCs, with a variety of message bodies and forged headers. Some say, for example:

Post@fbi.gov
Subject: Your IP was logged

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Others spoof a sending address of Admin@cia.gov and use a Subject line of:
You visit illegal websites

The attachment

The short message is followed by an attached zip file named downloadm.zip, mail_body.zip, mailtext.zip, question_list.zip, reg_pass-data.zip, or reg_pass.zip.

The zip file can be extracted without a password, meaning that this worm attachment can easily be spotted by virus-scanning software.

The result is a Windows executable named File-packed_dataInfo.exe

The executable contents

GNU utilities such as file, strings, and hexdump are useful for getting some limited idea about what this malicious code might do. The file utility reports that this executable is:
PE executable for MS Windows (GUI) Intel 80386 32-bit, UPX compressed

The following is partial output from running
  hexdump -C File-packed_dataInfo.exe
under Linux or BSD. This worm isn't terribly interesting with just a casual look. We do see:

• Around address 0x0000d090 where the executable file name appears.
• Around addresses 0x0000d290 through 0x0000d2d0, where references to the Windows API appear.

00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 c8 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  5d fb c7 da 19 9a a9 89  19 9a a9 89 19 9a a9 89  |]...............|
00000090  9a 86 a7 89 18 9a a9 89  70 85 a0 89 1c 9a a9 89  |........p.......|
000000a0  09 85 a4 89 18 9a a9 89  52 69 63 68 19 9a a9 89  |........Rich....|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  50 45 00 00 4c 01 03 00  |........PE..L...|
000000d0  e5 48 5d 43 00 00 00 00  00 00 00 00 e0 00 0f 01  |.H]C............|
000000e0  0b 01 06 00 00 d0 00 00  00 10 00 00 00 40 02 00  |.............@..|
[....]
0000d060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0000d070  50 4b 03 04 0a 00 00 00  00 00 00 90 76 33 34 31  |PK..........v341|
0000d080  7f 2b 5e d8 00 00 5e d8  00 00 18 00 00 00 46 69  |.+^...^.......Fi|
0000d090  6c 65 2d 70 61 63 6b 65  64 5f 64 61 74 61 49 6e  |le-packed_dataIn|
0000d0a0  66 6f 2e 65 78 65 00 00  00 00 00 00 00 00 00 00  |fo.exe..........|
0000d0b0  50 4b 01 02 14 00 0a 00  00 00 00 00 00 90 76 33  |PK............v3|
0000d0c0  34 31 7f 2b 5e d8 00 00  5e d8 00 00 18 00 00 00  |41.+^...^.......|
0000d0d0  00 00 00 00 00 00 20 00  ff 81 00 00 00 00 46 69  |...... .......Fi|
0000d0e0  6c 65 2d 70 61 63 6b 65  64 5f 64 61 74 61 49 6e  |le-packed_dataIn|
0000d0f0  66 6f 2e 65 78 65 50 4b  05 06 00 00 00 00 01 00  |fo.exePK........|
0000d100  01 00 46 00 00 00 94 d8  00 00 00 00 00 00 00 00  |..F.............|
0000d110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0000d240  00 00 00 00 00 00 00 00  00 00 00 00 94 22 03 00  |............."..|
0000d250  7c 22 03 00 00 00 00 00  00 00 00 00 00 00 00 00  ||"..............|
0000d260  a1 22 03 00 8c 22 03 00  00 00 00 00 00 00 00 00  |."..."..........|
0000d270  00 00 00 00 00 00 00 00  00 00 00 00 ae 22 03 00  |............."..|
0000d280  bc 22 03 00 cc 22 03 00  00 00 00 00 45 02 00 80  |."..."......E...|
0000d290  00 00 00 00 4b 45 52 4e  45 4c 33 32 2e 44 4c 4c  |....KERNEL32.DLL|
0000d2a0  00 4d 53 56 42 56 4d 36  30 2e 44 4c 4c 00 00 00  |.MSVBVM60.DLL...|
0000d2b0  4c 6f 61 64 4c 69 62 72  61 72 79 41 00 00 47 65  |LoadLibraryA..Ge|
0000d2c0  74 50 72 6f 63 41 64 64  72 65 73 73 00 00 45 78  |tProcAddress..Ex|
0000d2d0  69 74 50 72 6f 63 65 73  73 00 00 00 00 00 00 00  |itProcess.......|
0000d2e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0000d2f0  58 42 7a 36 53 62 58 62  68 24 29 36 58 68 24 6a  |XBz6SbXbh$)6Xh$j|
0000d300  33 74 55 6d 68 45 29 57  4c 3b 53 4c 39 68 45 29  |3tUmhE)WL;SL9hE)|
0000d310  52 4c 3b 53 4c 39 68 4c  32 56 68 24 58 31 36 68  |RL;SL9hL2Vh$X16h|
0000d320  33 33 33 68 24 29 39 50  52 58 4c 31 50 4c 29 56  |333h$)9PRXL1PL)V|
0000d330  68 25 62 20 62 29 32 68  59 23 4c 32 56 3b 53 4c  |h%b b)2hY#L2V;SL|
0000d340  39 41 56 53 52 68 59 45  42 7a 33 68 59 29 58 42  |9AVSRhYEBz3hY)XB|
0000d350  7a 36 53 62 58 62 68 62  57 32 31 53 52 20 68 5f  |z6SbXbhbW21SR h_|
0000d360  50 4c 58 62 56 53 52 44  29 43 74 42 68 57 32 7a  |PLXbVSRD)CtBhW2z|
0000d370  62 53 39 58 56 39 74 42  68 24 57 32 7a 62 53 39  |bS9XV9tBh$W2zbS9|
0000d380  58 56 39 68 24 4c 32 56  3b 53 4c 39 68 3b 31 29  |XV9h$L2V;SL9h;1)|
0000d390  4c 32 56 34 76 68 24 45  29 52 36 53 43 53 52 68  |L2V4vh$E)R6SCSRh|
0000d3a0  24 57 32 7a 43 50 57 62  20 68 24 4c 58 62 32 29  |$W2zCPWb h$LXb2)|
0000d3b0  56 58 4c 68 24 4c 46 30  52 58 39 57 32 58 68 24  |VXLh$LF0RX9W2Xh$|
0000d3c0  57 32 4c 58 62 32 58 68  24 57 32 4c 58 62 32 58  |W2LXb2Xh$W2LXb2X|
0000d3d0  76 68 24 56 4c 62 4c 4c  68 24 44 29 62 58 45 57  |vh$VLbLLh$D)bXEW|
0000d3e0  36 36 4c 32 62 68 24 44  32 7a 62 53 39 58 56 39  |66L2bh$D2zbS9XV9|
0000d3f0  68 24 4c 30 4c 31 53 52  42 7a 68 24 58 57 4c 30  |h$L0L1SRBzh$XWL0|
0000d400  57 32 68 24 36 4c 57 4c  4c 68 3b 42 20 58 44 68  |W2h$6LWLLh;B XDh|
0000d410  62 50 52 20 36 36 68 25  57 52 4c 31 39 7a 68 59  |bPR 66h%WRL19zhY|
0000d420  23 3b 57 70 57 44 29 72  72 68 59 37 57 31 31 58  |#;WpWD)rrhY7W11X|
0000d430  62 76 52 20 68 45 29 52  43 53 68 29 4c 57 4c 4c  |bvR hE)RCSh)LWLL|
0000d440  68 25 57 4c 3b 68 59 43  56 57 4c 4c 58 62 32 68  |h%WL;hYCVWLLXb2h|
0000d450  45 29 52 3b 53 4c 39 68  39 57 46 4c 31 43 62 68  |E)R;SL9h9WFL1Cbh|
0000d460  24 4c 58 62 32 29 56 58  68 31 4c 52 31 4c 43 4c  |$LXb2)VXh1LR1LCL|
0000d470  68 31 4c 52 31 43 4c 62  68 52 58 39 3b 58 36 36  |h1LR1CLbhRX9;X66|
0000d480  68 4c 58 62 32 29 56 58  68 39 57 4c 46 43 31 62  |hLXb2)VXh9WLFC1b|
0000d490  68 36 4c 57 4c 4c 42 68  45 29 45 4c 3b 53 4c 39  |h6LWLLBhE)EL;SL9|
0000d4a0  68 45 44 20 31 43 62 68  31 4c 52 31 4c 43 62 68  |hED 1Cbh1LR1LCbh|
0000d4b0  31 4c 31 31 4c 43 62 68  62 52 57 39 3b 56 3b 46  |1L11LCbhbRW9;V;F|
0000d4c0  68 31 4c 31 43 62 42 7a  68 72 29 52 43 53 53 68  |h1L1CbBzhr)RCSSh|
0000d4d0  45 29 52 34 76 68 24 32  29 20 58 53 20 62 32 68  |E)R4vh$2) XS b2h|
0000d4e0  59 31 4c 56 53 52 44 29  43 4c 68 7a 76 7a 52 58  |Y1LVSRD)CLhzvzRX|
0000d4f0  39 45 53 62 46 68 4c 46  30 68 4c 32 50 7a 20 57  |9ESbFhLF0hL2Pz W|
0000d500  39 58 68 59 20 57 62 46  68 29 52 39 58 62 52 58  |9XhY WbFh)R9XbRX|
0000d510  39 68 24 4c 32 56 3b 53  4c 39 58 68 24 31 56 57  |9h$L2V;SL9Xh$1VW|
0000d520  44 44 58 57 32 68 24 3b  58 36 7a 5c 4c 32 56 3b  |DDXW2h$;X6z\L2V;|
0000d530  53 4c 39 68 6d 3b 58 36  36 72 53 39 68 39 57 4c  |SL9hm;X66rS9h9WL|
0000d540  46 31 53 52 68 24 57 32  72 43 36 58 68 62 50 52  |F1SRh$W2rC6XhbPR|
0000d550  68 24 4c 32 56 3b 53 4c  39 34 76 68 4c 32 56 3b  |h$L2V;SL94vhL2V;|
0000d560  53 4c 39 34 76 68 24 37  57 32 57 68 25 29 58 3b  |SL94vh$7W2Wh%)X;|
0000d570  58 36 7a 58 62 68 4c 32  3b 53 4c 39 68 31 4c 4c  |X6zXbhL2;SL9h1LL|
0000d580  58 56 50 62 58 68 36 4c  32 56 3b 53 4c 39 68 45  |XVPbXh6L2V;SL9hE|
0000d590  29 52 36 43 53 52 68 4c  32 56 76 34 68 72 58 39  |)R6CSRhL2Vv4hrX9|
0000d5a0  57 68 58 42 39 58 62 52  57 36 68 52 29 52 44 53  |WhXB9XbRW6hR)RDS|
0000d5b0  29 58 68 45 29 52 32 52  56 68 3b 72 31 57 29 36  |)XhE)R2RVh;r1W)6|
0000d5c0  68 59 29 7a 44 45 68 25  4c 32 56 4c 30 4c 68 42  |hY)zDEh%L2VL0LhB|
0000d5d0  42 42 68 4c 32 56 3b 53  4c 39 4c 68 4c 30 4c 39  |BBhL2V;SL9LhL0L9|
0000d5e0  58 31 68 45 29 52 20 36  36 68 59 64 45 29 52 56  |X1hE)R 66hYdE)RV|
0000d5f0  3b 58 56 46 68 59 23 45  29 52 56 3b 58 56 46 68  |;XVFhY#E)RV;XVFh|
0000d600  39 57 4c 46 4c 30 4c 68  24 43 58 52 56 62 53 53  |9WLFL0Lh$CXRVbSS|
0000d610  39 68 31 4c 32 43 62 68  50 7a 20 57 39 58 42 7a  |9h1L2CbhPz W9XBz|
0000d620  68 62 58 31 53 39 58 68  45 29 20 34 76 68 20 68  |hbX1S9XhE) 4vh h|
0000d630  45 29 52 4c 32 56 68 31  4c 52 4c 58 62 32 58 68  |E)RL2Vh1LRLXb2Xh|
0000d640  7a 29 56 42 68 59 36 53  57 20 34 76 68 52 58 39  |z)VBhY6SW 4vhRX9|
0000d650  36 29 72 68 20 3b 56 7a  56 36 29 58 52 39 68 56  |6)rh ;VzV6)XR9hV|
0000d660  29 56 36 29 58 52 39 68  20 42 20 36 36 4c 32 56  |)V6)XR9h B 66L2V|
0000d670  68 39 62 46 45 46 4c 62  32 68 52 72 39 3b 36 7a  |h9bFEFLb2hRr9;6z|
0000d680  68 3b 7a 31 57 52 57 43  58 62 68 59 70 29 4f 68  |h;z1WRWCXbhYp)Oh|
0000d690  7a 3b 57 52 39 53 31 68  24 7a 3b 57 52 39 53 31  |z;WR9S1h$z;WR9S1|
0000d6a0  68 31 4c 52 45 29 52 20  53 45 4c 68 59 64 45 29  |h1LRE)R SELhYdE)|
0000d6b0  52 29 52 58 39 68 59 23  45 29 52 29 52 58 39 68  |R)RX9hY#E)R)RX9h|
0000d6c0  4c 56 62 29 43 70 68 59  4c 57 44 58 68 25 31 4c  |LVb)CphYLWDXh%1L|
0000d6d0  36 20 6d 68 20 29 32 42  58 52 56 68 59 23 23 70  |6 mh )2BXRVhY##p|
0000d6e0  44 4f 68 59 72 62 53 52  3f 4c 7a 29 70 57 58 39  |DOhYrbSR?Lz)pWX9|
0000d6f0  50 4c 68 4c 58 62 32 56  58 68 4c 58 62 32 29 56  |PLhLXb2VXhLXb2)V|
0000d700  56 58 4c 68 59 31 53 50  4c 58 20 62 32 68 59 52  |VXLhY1SPLX b2hYR|
0000d710  53 62 39 53 52 57 52 39  29 32 29 62 50 4c 68 59  |Sb9SRWR9)2)bPLhY|
0000d720  53 44 44 29 56 58 54 50  29 56 46 57 56 56 58 4c  |SDD)VXTP)VFWVVXL|
0000d730  4c 68 59 31 4c 7a 62 53  34 76 68 58 32 29 36 68  |LhY1LzbS4vhX2)6h|
0000d740  45 29 52 4c 30 4c 68 45  50 7a 52 7a 68 29 58 42  |E)RL0LhEPzRzh)XB|
0000d750  7a 36 53 29 39 41 3b 39  31 36 68 24 29 7a 52 50  |z6S)9A;916h$)zRP|
0000d760  46 58 62 41 32 72 4c 68  59 62 58 43 62 42 68 31  |FXbA2rLhYbXCbBh1|
0000d770  56 44 20 62 32 41 4c 30  4c 68 25 31 56 44 56 56  |VD b2AL0Lh%1VDVV|
0000d780  33 68 24 43 44 43 20 43  44 20 68 24 43 44 43 20  |3h$CDC CD h$CDC |
0000d790  43 44 20 20 44 43 20 44  43 45 58 68 24 56 58 58  |CD  DC DCEXh$VXX|
0000d7a0  45 58 58 45 58 68 45 29  52 20 36 36 76 68 29 7a  |EXXEXhE)R 66vh)z|
0000d7b0  45 44 68 24 45 53 62 20  7a 57 20 68 50 7a 20 57  |EDh$ESb zW hPz W|
0000d7c0  39 58 41 7a 29 44 68 59  45 29 52 36 53 43 53 52  |9XAz)DhYE)R6SCSR|
0000d7d0  34 76 23 68 39 45 50 52  46 23 6c 4f 68 45 29 52  |4v#h9EPRF#lOhE)R|
0000d7e0  20 72 43 34 76 68 50 4c  58 62 42 68 45 29 52 39  | rC4vhPLXbBhE)R9|
0000d7f0  52 36 68 31 4c 31 4c 43  62 68 44 50 56 46 68 4c  |R6h1L1LCbhDPVFhL|
0000d800  4c 36 68 4c 4c 31 4c 4c  68 54 4c 58 56 50 58 68  |L6hLL1LLhTLXVPXh|
0000d810  24 3b 7a 4c 32 68 45 29  52 39 52 7a 42 68 45 7a  |$;zL2hE)R9RzBhEz|
0000d820  57 68 45 29 52 39 72 7a  68 45 29 52 39 72 7a 42  |WhE)R9rzhE)R9rzB|
0000d830  68 4c 44 53 53 36 68 59  45 29 52 20 62 43 34 76  |hLDSS6hYE)R bC4v|
0000d840  68 31 53 50 4c 58 4c 30  52 56 68 31 53 50 4c 58  |h1SPLXL0RVh1SPLX|
0000d850  31 31 68 31 53 50 4c 58  72 31 68 7a 58 62        |11h1SPLXr1hzXb|
0000d85e