The worm is written in Visual Basic. The worm's file is a PE
executable 30720 bytes long packed with a modified version of UPX
file compressor. The worm has its own SMTP engine that it uses to
send out infected e-mail messages.
The worm changes one byte at offset 0xA0 in its file upon
installation to system, but the file it sends out is unchanged.
Some of the worm's text strings are encrypted and they are
decrypted only before being used.
Installation to system
When the worm's file is started on a clean system, it opens
Paintbrush or Microsoft Paint application as a disguise.
Then the worm installs itself to system. It copies itself to
Windows System folder once, with a semi-randomly generated name
and creates 2 startup keys for this file in System Registry. The
worm uses the following fixed text strings to generate the name
of its file and the name of the startup key:
The worm creates a file named WINRUN32.DLL, where it stores all
e-mail addresses harvested from an infected computer. The worm
also creates 2 empty files in the same folder:
Additionally the worm creates 2 mime-encoded copies of its
executable file and a ZIP archive in Windows System folder with
the following names:
The worm creates 2 startup Registry keys its semi-randomly named
file in System Registry:
The subkey name that is created by the worm is semi-randomly
generated too. The value of a subkey is the path the worm's file
in Windows System folder.
Spreading in e-mails.
The worm scans files with certain extensions on all hard disks to
harvest e-mail addresses. Files with the following extensions are
The worm saves all found e-mail addresses to WINRUN32.DLL file
located in Windows System folder. This is an ASCII file, not a
Sober.E worm spreads itself in e-mails as an executable
attachment or inside a ZIP archive. The worm uses the following
strings as the subject line:
Ok ok OK!
The message body can contain the following strings:
The attachment name can consist of the following strings and a
randomly generated number:
The attachment has either PIF or ZIP extension. The worm's
executable file name inside the archives that we've received so
To send e-mails the worm uses the following mail servers:
The worm fakes the sender's e-mail address. The fake address is
composed by the worm from the following strings:
The following domain names are selected for the fake sender's
The worm avoids sending infected messages to e-mail addresses
that contain any of the following:
Sober.E worm constantly checks a hard drive for the presence of
the file named ZHCARXXI.VVX. If this file is found, the worm
unloads itself from memory. Also if this file is present on a
hard disk during the worm's installation process, the worm does
not copy itself to a hard drive.
The worm can download and run an executable file from the
The name of the downloaded file is:
The worm tries to contact several NTP servers that are hardcoded
it its body:
Detection of Sober.E worm is available in the following FSAV
Katrin Tocheva, March 28th, 2004;
Alexey Podrezov; March 28th, 2004;
Alexey Podrezov; March 29th, 2004;