Threat Description

Email-Worm:​W32/Sober

Details

Aliases: Email-Worm:​W32/Sober, Email-Worm:​W32/Sober
Category: Malware
Type: Email-Worm
Platform: W32

Summary



A worm that spreads via e-mail, usually in infected executable e-mail file attachments.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Email-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe. The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.

Installation

It will modify the Windows' registry under:

  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]or
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

to point to where the executable copies of the worm are dropped.

Some of the possible locations are:

  • %SysDir%\similare.exe
  • %SysDir%\sysrunll.exe

Propagation (E-mail)

Sober will spoof different mail clients, using the headers:

  • X-Mailer: Microsoft Outlook Express 6.00.2600.0000
  • X-Mailer: Microsoft Outlook Express 5.00.3018.1300
  • X-Mailer: Safety_Mail Server
  • X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
  • X-Mailer: Microsoft Outlook IMO, Build 9.0.

It will send e-mails with the following subjects: In German:

  • Neuer Virus im Umlauf!
  • Back At The Funny Farm
  • Sie versenden Spam Mails (Virus?)
  • Ein Wurm ist auf Ihrem Computer!
  • Langsam reicht es mir
  • Sie haben mir einen Wurm geschickt!
  • Hi Schnuckel was machst du so ?
  • VORSICHT!!! Neuer Mail Wurm
  • Re: Kontakt
  • RE: Sex
  • Sorry, Ich habe Ihre Mail bekommen
  • Hi Olle, lange niks mehr geh
  • Re: lol
  • Viurs blockiert jeden PC (Vorsicht!)
  • berraschung
  • Ich habe Ihre E-Mail bekommen !
  • Jetzt rate mal, wer ich bin !?
  • Neue Sobig Variante (Lesen!!)
  • Ich Liebe Dich

In English:

  • Congratulations!! Your Sobig Worms are very good!!!
  • You are a very good programmer!
  • Yours faithfully
  • Odin alias Anon
  • Odin_Worm.exe
  • New internet virus!
  • You send spam mails (Worm?)
  • A worm is on your computer!
  • You have sent me a virus!
  • Hi darling, what are you doing now?
  • Be careful! New mail worm
  • Re: Contact
  • Sorry, I've become your mail
  • Hey man, long not see you
  • Viurs blocked every PC (Take care!)
  • Surprise
  • I've become your mail!
  • Advise who I am!
  • New Sobig-Worm variation (please read)
  • I love you (I'm not a virus!)
  • I permanently get Spam-Mails from you and inside is a virus!!
  • You should remove these thing.

Attachment names are picked from the list:

  • AntiVirusDoc.pif
  • Check-Patch.bat
  • Screen_Doku.scr
  • Removal-Tool.exe
  • Perversionen.scr
  • CM-Recover.com
  • Bild.scr
  • schnitzel.exe
  • robot_mail.scr
  • RobotMailer.com
  • Privat.exe
  • AntiTrojan.exe
  • Mausi.scr
  • NackiDei.com
  • Anti-Sob.bat
  • security.pif
  • Funny.scr
  • Liebe.com
  • Odin_Worm.exe
  • check-patch.bat
  • anti_virusdoc.pif
  • perversion.scr
  • removal-tool.exe
  • screen_doc.scr
  • potency.pif
  • CM-Recover.com
  • pic.scr
  • playme.exe
  • robot_mailer.pif
  • private.exe
  • anti-trojan.exe
  • love.com
  • nacked.com
  • anti-Sob.bat
  • NAV.pif
  • funny.scr
  • little-scr.scr

Variant:Sober.A

Sober is an email worm, sending messages in English and German, sometimes posing as a fix from an Anti-Virus company.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More