Email-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The worm was packed with a modified version of UPX and was written in Visual Basic. It has its own SMTP engine which will be used when sending e-mail messages.
It will modify the Windows' registry under:
to point to where the executable copies of the worm are dropped.
Some of the possible locations are:
Sober will spoof different mail clients, using the headers:
It will send e-mails with the following subjects:
Attachment names are picked from the list:
Sober is an email worm, sending messages in English and German, sometimes posing as a fix from an Anti-Virus company.