The Sober Worm

Share the knowledge

The Sober worm is a highly-damaging mass-mailing email worm (self-replicating computer program) that spreads by emailing itself to all addresses in a user’s email address book, for which the Sober worm uses its own on-board SMTP (Simple Mail Transfer Protocol) engine.

The Sober worm was first discovered on October 24, 2003, with new strands of the Sober worm resurfacing during 2004 and 2005. The last big outbreak happened on November 21st, 2005, with the Sober X worm disguised as an email from various United States government agencies, including the FBI.

Once the attachment is opened, the worm disables all anti-virus systems and acts as spyware (stealing and transmitting personal information). It also creates entries and copies itself in the system directory. Upon opening the attachment, the worm may display a message box that reads “No viruses, trojans, or spyware found! Status: Ok.” Once installed and run, the worm may also show a fake error message that reads “Error in packed header.” Both of these tricks are used to persuade users that no problem exists with the attachment. But in reality, the Sober worm consumes network bandwith, displays fake error messages when programs are opened, terminates antiviruses and other security systems, and creates false registry entries in the computer.

The Sober worm sends itself with different subject names in either English or German (examples include, but are not limited to,”New internet virus!,” “You have sent me a virus!,” “Re: Contact,” and “Sorry, I’ve become your mail, and I’ve become your mail!”).

The attachment names may be any of the following, or something else: anti_virusdoc.pif, Anti-Sob.bat, AntiTrojan.exe, anti-trojan.exe, AntiVirusDoc.pif, Bild.scr, Check-Patch.bat, check-patch.bat,, Funny.scr, Hengst.pif,, little-scr.scr,, Mausi.scr,,, NAV.pif, Odin_Worm.exe, perversion.scr, Perversionen.scr, pic.scr, playme.exe, potency.pif, Privat.exe, Removal-Tool.exe, removal-tool.exe , robot_mail.scr, robot_mailer.pif,, schnitzel.exe, screen_doc.scr, Screen_Doku.scr, or security.pif.

A new form of the Sober worm was set to attack the Internet on January 6th, 2006, but fortunately the hype created by security software companies prevented major problems.

Recommended Reading (click on the picture for details):
PC Pest Control


All About Worms is always free, always reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP Publishing.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Note: Some links on this site are partner links. That means that we earn a tiny bit if you purchase something through them, at no extra charge to you. This helps offset the cost of keeping this resource free for everybody (it doesn't cover our costs, but every little bit helps! :~) )

Share the knowledge

Author: The Top Worm

Leave a Reply

Your email address will not be published. Required fields are marked *