The Sober Worm

The Sober worm is a highly-damaging mass-mailing email worm (self-replicating computer program) that spreads by emailing itself to all addresses in a user’s email address book, for which the Sober worm uses its own on-board SMTP (Simple Mail Transfer Protocol) engine.

The Sober worm was first discovered on October 24, 2003, with new strands of the Sober worm resurfacing during 2004 and 2005. The last big outbreak happened on November 21st, 2005, with the Sober X worm disguised as an email from various United States government agencies, including the FBI.

UPDATE! All About Worms has partnered with HealthLabs so that
you can get tested for parasites at a fully-qualified lab near you,
no doctor's visit required
! Check it out at HealthLabs.com!

Once the attachment is opened, the worm disables all anti-virus systems and acts as spyware (stealing and transmitting personal information). It also creates entries and copies itself in the system directory. Upon opening the attachment, the worm may display a message box that reads “No viruses, trojans, or spyware found! Status: Ok.” Once installed and run, the worm may also show a fake error message that reads “Error in packed header.” Both of these tricks are used to persuade users that no problem exists with the attachment. But in reality, the Sober worm consumes network bandwith, displays fake error messages when programs are opened, terminates antiviruses and other security systems, and creates false registry entries in the computer.

The Sober worm sends itself with different subject names in either English or German (examples include, but are not limited to,”New internet virus!,” “You have sent me a virus!,” “Re: Contact,” and “Sorry, I’ve become your mail, and I’ve become your mail!”).

The attachment names may be any of the following, or something else: anti_virusdoc.pif, Anti-Sob.bat, AntiTrojan.exe, anti-trojan.exe, AntiVirusDoc.pif, Bild.scr, Check-Patch.bat, check-patch.bat, CM-Recover.com, Funny.scr, Hengst.pif, Liebe.com, little-scr.scr, love.com, Mausi.scr, nacked.com, NackiDei.com, NAV.pif, Odin_Worm.exe, perversion.scr, Perversionen.scr, pic.scr, playme.exe, potency.pif, Privat.exe, Removal-Tool.exe, removal-tool.exe , robot_mail.scr, robot_mailer.pif, RobotMailer.com, schnitzel.exe, screen_doc.scr, Screen_Doku.scr, or security.pif.

No Paywall Here!
All About Worms is and always has been a free resource. We don't hide our articles behind a paywall, or make you give us your email address, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to pay our research authors, and to run and maintain the site, so if something you read here was helpful or useful, won't you consider donating something to help keep All About Worms free?
Click for amount options
Other Amount:
What info did we provide for you today?:

A new form of the Sober worm was set to attack the Internet on January 6th, 2006, but fortunately the hype created by security software companies prevented major problems.

Recommended Reading (click on the picture for details):
PC Pest Control

Leave a Comment (but to submit a question please use the "Submit a Question" link above; we can't respond to questions posted as a comment)

Menu / Search

All About Worms