1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Email-Worm:W32/Sober

Email-Worm:W32/Sober

Name : Email-Worm:W32/Sober
Category:Malware
Type:Email-Worm
Platform:W32

Summary

A worm that spreads via e-mail, usually in infected executable e-mail file attachments.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Additional Details

Email-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe.

The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.


Installation

It will modify the Windows' registry under:

  •  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    or
  •  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

to point to where the executable copies of the worm are dropped.

Some of the possible locations are:

  •  %SysDir%\similare.exe
  •  %SysDir%\sysrunll.exe



Propagation (E-mail)

Sober will spoof different mail clients, using the headers:

  •  X-Mailer: Microsoft Outlook Express 6.00.2600.0000
  •  X-Mailer: Microsoft Outlook Express 5.00.3018.1300
  •  X-Mailer: Safety_Mail Server
  •  X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
  •  X-Mailer: Microsoft Outlook IMO, Build 9.0.

It will send e-mails with the following subjects:

In German:

  •  Neuer Virus im Umlauf!
  •  Back At The Funny Farm
  •  Sie versenden Spam Mails (Virus?)
  •  Ein Wurm ist auf Ihrem Computer!
  •  Langsam reicht es mir
  •  Sie haben mir einen Wurm geschickt!
  •  Hi Schnuckel was machst du so ?
  •  VORSICHT!!! Neuer Mail Wurm
  •  Re: Kontakt
  •  RE: Sex
  •  Sorry, Ich habe Ihre Mail bekommen
  •  Hi Olle, lange niks mehr geh
  •  Re: lol
  •  Viurs blockiert jeden PC (Vorsicht!)
  •  berraschung
  •  Ich habe Ihre E-Mail bekommen !
  •  Jetzt rate mal, wer ich bin !?
  •  Neue Sobig Variante (Lesen!!)
  •  Ich Liebe Dich

In English:

  •  Congratulations!! Your Sobig Worms are very good!!!
  •  You are a very good programmer!
  •  Yours faithfully
  •  Odin alias Anon
  •  Odin_Worm.exe
  •  New internet virus!
  •  You send spam mails (Worm?)
  •  A worm is on your computer!
  •  You have sent me a virus!
  •  Hi darling, what are you doing now?
  •  Be careful! New mail worm
  •  Re: Contact
  •  Sorry, I've become your mail
  •  Hey man, long not see you
  •  Viurs blocked every PC (Take care!)
  •  Surprise
  •  I've become your mail!
  •  Advise who I am!
  •  New Sobig-Worm variation (please read)
  •  I love you (I'm not a virus!)
  •  I permanently get Spam-Mails from you and inside is a virus!!
  •  You should remove these thing.

Attachment names are picked from the list:

  •  AntiVirusDoc.pif
  •  Check-Patch.bat
  •  Screen_Doku.scr
  •  Removal-Tool.exe
  •  Perversionen.scr
  •  CM-Recover.com
  •  Bild.scr
  •  schnitzel.exe
  •  robot_mail.scr
  •  RobotMailer.com
  •  Privat.exe
  •  AntiTrojan.exe
  •  Mausi.scr
  •  NackiDei.com
  •  Anti-Sob.bat
  •  security.pif
  •  Funny.scr
  •  Liebe.com
  •  Odin_Worm.exe
  •  check-patch.bat
  •  anti_virusdoc.pif
  •  perversion.scr
  •  removal-tool.exe
  •  screen_doc.scr
  •  potency.pif
  •  CM-Recover.com
  •  pic.scr
  •  playme.exe
  •  robot_mailer.pif
  •  private.exe
  •  anti-trojan.exe
  •  love.com
  •  nacked.com
  •  anti-Sob.bat
  •  NAV.pif
  •  funny.scr
  •  little-scr.scr


Variant:Sober.A
Description:
Sober is an email worm, sending messages in English and German, sometimes posing as a fix from an Anti-Virus company.