F-Secure
Tools
Email-Worm:W32/Sober
Summary
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Email-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe.
The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.
Installation
It will modify the Windows' registry under:
to point to where the executable copies of the worm are dropped.
Some of the possible locations are:
Propagation (E-mail)
Sober will spoof different mail clients, using the headers:
It will send e-mails with the following subjects:
In German:
In English:
Attachment names are picked from the list:
The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.
Installation
It will modify the Windows' registry under:
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
or - [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to point to where the executable copies of the worm are dropped.
Some of the possible locations are:
- %SysDir%\similare.exe
- %SysDir%\sysrunll.exe
Propagation (E-mail)
Sober will spoof different mail clients, using the headers:
- X-Mailer: Microsoft Outlook Express 6.00.2600.0000
- X-Mailer: Microsoft Outlook Express 5.00.3018.1300
- X-Mailer: Safety_Mail Server
- X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
- X-Mailer: Microsoft Outlook IMO, Build 9.0.
It will send e-mails with the following subjects:
In German:
- Neuer Virus im Umlauf!
- Back At The Funny Farm
- Sie versenden Spam Mails (Virus?)
- Ein Wurm ist auf Ihrem Computer!
- Langsam reicht es mir
- Sie haben mir einen Wurm geschickt!
- Hi Schnuckel was machst du so ?
- VORSICHT!!! Neuer Mail Wurm
- Re: Kontakt
- RE: Sex
- Sorry, Ich habe Ihre Mail bekommen
- Hi Olle, lange niks mehr geh
- Re: lol
- Viurs blockiert jeden PC (Vorsicht!)
- berraschung
- Ich habe Ihre E-Mail bekommen !
- Jetzt rate mal, wer ich bin !?
- Neue Sobig Variante (Lesen!!)
- Ich Liebe Dich
In English:
- Congratulations!! Your Sobig Worms are very good!!!
- You are a very good programmer!
- Yours faithfully
- Odin alias Anon
- Odin_Worm.exe
- New internet virus!
- You send spam mails (Worm?)
- A worm is on your computer!
- You have sent me a virus!
- Hi darling, what are you doing now?
- Be careful! New mail worm
- Re: Contact
- Sorry, I've become your mail
- Hey man, long not see you
- Viurs blocked every PC (Take care!)
- Surprise
- I've become your mail!
- Advise who I am!
- New Sobig-Worm variation (please read)
- I love you (I'm not a virus!)
- I permanently get Spam-Mails from you and inside is a virus!!
- You should remove these thing.
Attachment names are picked from the list:
- AntiVirusDoc.pif
- Check-Patch.bat
- Screen_Doku.scr
- Removal-Tool.exe
- Perversionen.scr
- CM-Recover.com
- Bild.scr
- schnitzel.exe
- robot_mail.scr
- RobotMailer.com
- Privat.exe
- AntiTrojan.exe
- Mausi.scr
- NackiDei.com
- Anti-Sob.bat
- security.pif
- Funny.scr
- Liebe.com
- Odin_Worm.exe
- check-patch.bat
- anti_virusdoc.pif
- perversion.scr
- removal-tool.exe
- screen_doc.scr
- potency.pif
- CM-Recover.com
- pic.scr
- playme.exe
- robot_mailer.pif
- private.exe
- anti-trojan.exe
- love.com
- nacked.com
- anti-Sob.bat
- NAV.pif
- funny.scr
- little-scr.scr
| Variant: | Sober.A |
Sober is an email worm, sending messages in English and German, sometimes posing as a fix from an Anti-Virus company.