Sober Worm was also known as: W32/Sober@MM [McAfee], I-Worm.Sober [Kaspersky], W32/Sober-A [Sophos], WORM_SOBER.A [Trend]. Sober [F, W32/Sober.A@mm [Frisk], W32/Sober.A [Norman], Win32/Sober.A [Eset], Win32.Sober.A [Computer Associ. It affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. This mass-mailing worm used its own SMTP engine to spread itself. The subject of the email varied, and it was in either English or German.

The name of the email attachment varied as well, and it had a .bat, .com, .exe, .pif, or .scr file extension. The threat was written in the Microsoft Visual Basic programming language and it was compressed with UPX. When W32.Sober@mm is first run, it displayed a fake error message “File not complete!” After this, it created several copies of itself to the %System% directory using variable filenames such as:

antiv.exe
driver.exe
driverini.exe
drv.exe
expoler.exe
filexe.exe
hlp16.exe
lssas.exe
qname.exe
spoole.exe
swchost.exe
syshost.exe
systemchk.exe
systemini.exe
winchk.exe
winlog32.exe
winreg.exe

After the Sober Worm infects a computer, it retrieves email addresses from local files and stores them in the Media.dll.file. According to Symantec, it then uses its own SMTP engine to send itself to all the email addresses it finds. The subject in the email may be any of the following:

The email subject is one of the following:

Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Re: Kontakt
RE: Sex
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr gehört!
Re: lol
Viurs blockiert jeden PC (Vorsicht!)
Überraschung
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Back At The Funny Farm
Ich Liebe Dich
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
Now, it’s enough
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Re: Contact
RE: Sex
Sorry, I’ve become your mail
Hey man, long not see you
Viurs blocked every PC (Take care!)
Surprise
I’ve become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
I love you (I’m not a virus!)

The email also included an attachment. It could/could have been any of the following:

AntiVirusDoc.pif
Check-Patch.bat
Screen_Doku.scr
Removal-Tool.exe
Perversionen.scr
Bild.scr
robot_mail.scr
RobotMailer.com
Privat.exe
AntiTrojan.exe
Mausi.scr
NackiDei.com
Anti-Sob.bat
security.pif
Funny.scr
Liebe.com
Odin_Worm.exe
anti_virusdoc.pif
check-patch.bat
removal-tool.exe
screen_doc.scr
potency.pif
perversion.scr
pic.scr
CM-Recover.com
playme.exe
robot_mailer.pif
little-scr.scr
love.com
nacked.com
Hengst.pif
schnitzel.exe
anti-trojan.exe
NAV.pif
private.exe

To get rid of Sober Worm, Symantec recommends using the following steps or you should download the removal tool directly from the Symantec website or the official Windows website at www.microsoft.com.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Sober@mm.
5. Delete the values that were added to the registry.

The Sober worm was first discovered on October 24, 2003, with new strands of the Sober worm resurfacing during 2004 and 2005. The last big outbreak happened on November 21st, 2005, with the Sober X worm disguised as an email from various United States government agencies, including the FBI.

Once the attachment is opened, the worm disables all anti-virus systems and acts as spyware (stealing and transmitting personal information). It also creates entries and copies itself in the system directory. Upon opening the attachment, the worm may display a message box that reads “No viruses, trojans, or spyware found! Status: Ok.” Once installed and run, the worm may also show a fake error message that reads “Error in packed header.” Both of these tricks are used to persuade users that no problem exists with the attachment. But in reality, the Sober worm consumes network bandwith, displays fake error messages when programs are opened, terminates antiviruses and other security systems, and creates false registry entries in the computer.

The Sober worm sends itself with different subject names in either English or German (examples include, but are not limited to,”New internet virus!,” “You have sent me a virus!,” “Re: Contact,” and “Sorry, I’ve become your mail, and I’ve become your mail!”).

The attachment names may be any of the following, or something else: anti_virusdoc.pif, Anti-Sob.bat, AntiTrojan.exe, anti-trojan.exe, AntiVirusDoc.pif, Bild.scr, Check-Patch.bat, check-patch.bat, CM-Recover.com, Funny.scr, Hengst.pif, Liebe.com, little-scr.scr, love.com, Mausi.scr, nacked.com, NackiDei.com, NAV.pif, Odin_Worm.exe, perversion.scr, Perversionen.scr, pic.scr, playme.exe, potency.pif, Privat.exe, Removal-Tool.exe, removal-tool.exe , robot_mail.scr, robot_mailer.pif, RobotMailer.com, schnitzel.exe, screen_doc.scr, Screen_Doku.scr, or security.pif.

A new form of the Sober worm was set to attack the Internet on January 6th, 2006, but fortunately the hype created by security software companies prevented major problems.

Recommended Reading (click on the picture for details):