The worm is written in Visual Basic. The worm's file is a PE executable 30720 bytes long packed with a modified version of UPX file compressor. The worm has its own SMTP engine that it uses to send out infected email messages.
The worm changes one byte at offset 0xA0 in its file upon installation to system, but the file it sends out is unchanged.
Some of the worm's text strings are encrypted and they are decrypted only before being used.
Installation to system
When the worm's file is started on a clean system, it opens Paintbrush or Microsoft Paint application as a disguise.
Then the worm installs itself to system. It copies itself to Windows System folder once, with a semi-randomly generated name and creates 2 startup keys for this file in System Registry. The worm uses the following fixed text strings to generate the name of its file and the name of the startup key:
The worm creates a file named WINRUN32.DLL, where it stores all email addresses harvested from an infected computer. The worm also creates 2 empty files in the same folder:
Additionally the worm creates 2 mime-encoded copies of its executable file and a ZIP archive in Windows System folder with the following names:
The worm creates 2 startup Registry keys its semi-randomly named file in System Registry:
The subkey name that is created by the worm is semi-randomly generated too. The value of a subkey is the path the worm's file in Windows System folder.
Spreading in emails.
The worm scans files with certain extensions on all hard disks to harvest email addresses. Files with the following extensions are scanned:
The worm saves all found email addresses to WINRUN32.DLL file located in Windows System folder. This is an ASCII file, not a binary file.
Sober.E worm spreads itself in emails as an executable attachment or inside a ZIP archive. The worm uses the following strings as the subject line:
Ok ok OK!
The message body can contain the following strings:
The attachment name can consist of the following strings and a randomly generated number:
The attachment has either PIF or ZIP extension. The worm's executable file name inside the archives that we've received so far is:
To send emails the worm uses the following mail servers:
The worm fakes the sender's email address. The fake address is composed by the worm from the following strings:
The following domain names are selected for the fake sender's address:
The worm avoids sending infected messages to email addresses that contain any of the following:
Sober.E worm constantly checks a hard drive for the presence of the file named ZHCARXXI.VVX. If this file is found, the worm unloads itself from memory. Also if this file is present on a hard disk during the worm's installation process, the worm does not copy itself to a hard drive.
The worm can download and run an executable file from the following websites:
The name of the downloaded file is:
The worm tries to contact several NTP servers that are hardcoded it its body: