F-Secure
Tools
Email-Worm:W32/Sober
| Name : | Email-Worm:W32/Sober |
| Category: | Malware |
| Type: | Email-Worm |
| Platform: | W32 |
Summary
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Email-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe.
The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.
Installation
It will modify the Windows' registry under:
to point to where the executable copies of the worm are dropped.
Some of the possible locations are:
Propagation (E-mail)
Sober will spoof different mail clients, using the headers:
It will send e-mails with the following subjects:
In German:
In English:
Attachment names are picked from the list:
The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.
Installation
It will modify the Windows' registry under:
• [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
or
or
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to point to where the executable copies of the worm are dropped.
Some of the possible locations are:
• %SysDir%\similare.exe
• %SysDir%\sysrunll.exe
Propagation (E-mail)
Sober will spoof different mail clients, using the headers:
• X-Mailer: Microsoft Outlook Express 6.00.2600.0000
• X-Mailer: Microsoft Outlook Express 5.00.3018.1300
• X-Mailer: Safety_Mail Server
• X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
• X-Mailer: Microsoft Outlook IMO, Build 9.0.
It will send e-mails with the following subjects:
In German:
• Neuer Virus im Umlauf!
• Back At The Funny Farm
• Sie versenden Spam Mails (Virus?)
• Ein Wurm ist auf Ihrem Computer!
• Langsam reicht es mir
• Sie haben mir einen Wurm geschickt!
• Hi Schnuckel was machst du so ?
• VORSICHT!!! Neuer Mail Wurm
• Re: Kontakt
• RE: Sex
• Sorry, Ich habe Ihre Mail bekommen
• Hi Olle, lange niks mehr geh
• Re: lol
• Viurs blockiert jeden PC (Vorsicht!)
• berraschung
• Ich habe Ihre E-Mail bekommen !
• Jetzt rate mal, wer ich bin !?
• Neue Sobig Variante (Lesen!!)
• Ich Liebe Dich
In English:
• Congratulations!! Your Sobig Worms are very good!!!
• You are a very good programmer!
• Yours faithfully
• Odin alias Anon
• Odin_Worm.exe
• New internet virus!
• You send spam mails (Worm?)
• A worm is on your computer!
• You have sent me a virus!
• Hi darling, what are you doing now?
• Be careful! New mail worm
• Re: Contact
• Sorry, I've become your mail
• Hey man, long not see you
• Viurs blocked every PC (Take care!)
• Surprise
• I've become your mail!
• Advise who I am!
• New Sobig-Worm variation (please read)
• I love you (I'm not a virus!)
• I permanently get Spam-Mails from you and inside is a virus!!
• You should remove these thing.
Attachment names are picked from the list:
• AntiVirusDoc.pif
• Check-Patch.bat
• Screen_Doku.scr
• Removal-Tool.exe
• Perversionen.scr
• CM-Recover.com
• Bild.scr
• schnitzel.exe
• robot_mail.scr
• RobotMailer.com
• Privat.exe
• AntiTrojan.exe
• Mausi.scr
• NackiDei.com
• Anti-Sob.bat
• security.pif
• Funny.scr
• Liebe.com
• Odin_Worm.exe
• check-patch.bat
• anti_virusdoc.pif
• perversion.scr
• removal-tool.exe
• screen_doc.scr
• potency.pif
• CM-Recover.com
• pic.scr
• playme.exe
• robot_mailer.pif
• private.exe
• anti-trojan.exe
• love.com
• nacked.com
• anti-Sob.bat
• NAV.pif
• funny.scr
• little-scr.scr
| Variant: | Sober.A |
Sober is an email worm, sending messages in English and German, sometimes posing as a fix from an Anti-Virus company.