The Sober worm is a highly-damaging mass-mailing email worm (self-replicating computer program) that spreads by emailing itself to all addresses in a user’s email address book, for which the Sober worm uses its own on-board SMTP (Simple Mail Transfer Protocol) engine.

The Sober worm was first discovered on October 24, 2003, with new strands of the Sober worm resurfacing during 2004 and 2005. The last big outbreak happened on November 21st, 2005, with the Sober X worm disguised as an email from various United States government agencies, including the FBI.

Once the attachment is opened, the worm disables all anti-virus systems and acts as spyware (stealing and transmitting personal information). It also creates entries and copies itself in the system directory. Upon opening the attachment, the worm may display a message box that reads “No viruses, trojans, or spyware found! Status: Ok.” Once installed and run, the worm may also show a fake error message that reads “Error in packed header.” Both of these tricks are used to persuade users that no problem exists with the attachment. But in reality, the Sober worm consumes network bandwith, displays fake error messages when programs are opened, terminates antiviruses and other security systems, and creates false registry entries in the computer.

The Sober worm sends itself with different subject names in either English or German (examples include, but are not limited to,”New internet virus!,” “You have sent me a virus!,” “Re: Contact,” and “Sorry, I’ve become your mail, and I’ve become your mail!”).

The attachment names may be any of the following, or something else: anti_virusdoc.pif, Anti-Sob.bat, AntiTrojan.exe, anti-trojan.exe, AntiVirusDoc.pif, Bild.scr, Check-Patch.bat, check-patch.bat, CM-Recover.com, Funny.scr, Hengst.pif, Liebe.com, little-scr.scr, love.com, Mausi.scr, nacked.com, NackiDei.com, NAV.pif, Odin_Worm.exe, perversion.scr, Perversionen.scr, pic.scr, playme.exe, potency.pif, Privat.exe, Removal-Tool.exe, removal-tool.exe , robot_mail.scr, robot_mailer.pif, RobotMailer.com, schnitzel.exe, screen_doc.scr, Screen_Doku.scr, or security.pif.

A new form of the Sober worm was set to attack the Internet on January 6th, 2006, but fortunately the hype created by security software companies prevented major problems.

Recommended Reading (click on the picture for details):