Sober Worm (W32.Sober@mm) is a computer worm that was discovered on October 24, 2003. Although the Sober Worm was listed as “low” level or “risk level 2,” this computer worm still caused a number of problems with computer systems ranging from slow running systems to slow running software programs.
Sober Worm was also known as: W32/Sober@MM [McAfee], I-Worm.Sober [Kaspersky], W32/Sober-A [Sophos], WORM_SOBER.A [Trend]. Sober [F, W32/Sober.A@mm [Frisk], W32/Sober.A [Norman], Win32/Sober.A [Eset], Win32.Sober.A [Computer Associ. It affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. This mass-mailing worm used its own SMTP engine to spread itself. The subject of the email varied, and it was in either English or German.
The name of the email attachment varied as well, and it had a .bat, .com, .exe, .pif, or .scr file extension. The threat was written in the Microsoft Visual Basic programming language and it was compressed with UPX. When W32.Sober@mm is first run, it displayed a fake error message “File not complete!” After this, it created several copies of itself to the %System% directory using variable filenames such as:
After the Sober Worm infects a computer, it retrieves email addresses from local files and stores them in the Media.dll.file. According to Symantec, it then uses its own SMTP engine to send itself to all the email addresses it finds. The subject in the email may be any of the following:
The email subject is one of the following:
Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr gehört!
Viurs blockiert jeden PC (Vorsicht!)
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Back At The Funny Farm
Ich Liebe Dich
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
Now, it’s enough
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Sorry, I’ve become your mail
Hey man, long not see you
Viurs blocked every PC (Take care!)
I’ve become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
I love you (I’m not a virus!)
The email also included an attachment. It could/could have been any of the following:
To get rid of Sober Worm, Symantec recommends using the following steps or you should download the removal tool directly from the Symantec website or the official Windows website at www.microsoft.com.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Sober@mm.
5. Delete the values that were added to the registry.