Category :


Type :


Aliases :

Sober.S, Email-Worm.Win32.Sober.s,, CME-151, W32.Sober.Q@mm, W32/Sober.r@MM


Sober.S worm started spreading on October 6th, 2005. This Sober variant sends itself as an attachment in email messages with English or German texts. The worm has bugs and quite often sends broken attachments.

In addition, at about noon on October 6th, there appeared a dropper for Sober.S worm. Its description can be found here:


A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Sober.S is written in Visual Basic. The worm's file is a UPX packed PE executable about 113 kilobytes long. The unpacked worm's file size is around 251 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.

Installation to system

When the worm's file is started it shows a fake error messagebox as a decoy:

After that it creates a subfolder named 'ConnectionStatus' in Windows folder and copies itself there as "services.exe" file.

Sober.S worm adds startup keys for the copied "services.exe" in System Registry:

" WinINet" = "%WinDir%\ConnectionStatus\services.exe"
"_WinINet" = "%WinDir%\ConnectionStatus\services.exe"

In addition the worm creates a file named "netslot.nst" in the same folder, where it stores its mime-encoded copy that will be used for spreading. Quite often the mime-encoded copy of the worm is corrupted.

Also the worm creates a few files in Windows System folder. Due to a bug in the worm's code the names of these files can look like a garbage, for example:

However on some systems the worm manages to create empty files with proper names:


These files are used to deactivate previous Sober variants. This particular Sober variant checks for the file called 'runstop.rst' and if such file is found, the worm deactivates itself.

The worm blocks access to its files and re-creates its startup keys in the Registry if they are deleted.

Spreading in emails

Sober.S worm sends different types of email messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

To collect email addresses the worm scans files with the following extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws
vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg
mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas
adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf
doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

The collected email addresses are stored in "socket.dli" file that is created in the same folder where the main worm's executable file is located. The worm ignores email addresses that contain any of the following substrings:

@www @from. smtp- @smtp. ftp. .dial. .ppp. .dip.t-dia anyone
@gmetref sql. someone nothing you@ user@ reciver@ somebody
secure whatever@ whoever@ anywhere yourname mustermann@
mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca.
abuse winrar domain. host. viren bitdefender spybot detection
ewido. emsisoft linux @foo. winzip @example. bellcore. @arin
@iana @avp icrosoft. @sophos @panda @kaspers free-av antivir
virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock

When the worm sends an email to an address that contains "gmx." domain or has the domain suffix ".de", ".li", ".ch" or ".at", it composes messages in German, otherwise the worm composes messages in English.

The worm can compose the following English messages:


I've got your mail on my account!


First I must say, my English is very very bad! Sorry about this.
Ok, I've got an email in my box, but this email is not for me, because,,,
I'm not the recipient! The recipient are YOU !!!
This must be an email provider error, but I don't know!
I have made a Screenshot about this mail and saved in a zipped jpeg graphic file for you.
ok then,


--- OR ---


Your new Password


Your password was successfully changed!
Please see the attached file for detailed information.


--- OR ---


Registration Confirmation


Thanks for your registration.
Your data are saved in the zipped .doc file!


In addition to English messages, the Sober.S worm can compose the following German messages:


Bcc: Ich habe Ihre Mail erhalten!


Danke fur Ihre Mail ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, namlich an mich.
Ich kenne sie aber nicht!
Oder Ihr Provider hat die Mail falsch weiter geleitet!?
Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zuruck.


--- OR ---


Fwd: Klassentreffen


ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehangt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zuruck!!
wenn ich aber wieder mal die falsche person erwischt habe, dann sorry for die belastigung ;)
liebe gruBe

(or any of the following: Sandra, Nicole, Hannelore, Kerstin, Elke).


--- OR ---


Haben Sie diese Mail verschickt?


Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen Sie zu erstatten!
Sie spinnen ja wohl! Die Mail hat meine Tochter gelesen !!!!!!!!!!!!!!
Ich habe Ihnen "diese" Word-Text Datei zu meiner Entlastung zuruckgeschickt.
Es ware von Vorteil, wenn Sie sich dazu au-ern wurden!!


The worm does not use any exploits to start attachments automatically on remote systems. To get infected a user has to extract and run the worm's executable file.


The worm can download and run executable files from user accounts created on the following servers:

Sober.S worm terminates applications that have the following substrings in their names:


Then the worm shows a messagebox that looks like that: