What is a Sober Worm?

Sober Worm (W32.Sober@mm) is a computer worm that was discovered on October 24, 2003. Although the Sober Worm was listed as “low” level or “risk level 2,” this computer worm still caused a number of problems with computer systems ranging from slow running systems to slow running software programs.

Sober Worm was also known as: W32/Sober@MM [McAfee], I-Worm.Sober [Kaspersky], W32/Sober-A [Sophos], WORM_SOBER.A [Trend]. Sober [F, W32/Sober.A@mm [Frisk], W32/Sober.A [Norman], Win32/Sober.A [Eset], Win32.Sober.A [Computer Associ. It affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. This mass-mailing worm used its own SMTP engine to spread itself. The subject of the email varied, and it was in either English or German.

The name of the email attachment varied as well, and it had a .bat, .com, .exe, .pif, or .scr file extension. The threat was written in the Microsoft Visual Basic programming language and it was compressed with UPX. When W32.Sober@mm is first run, it displayed a fake error message “File not complete!” After this, it created several copies of itself to the %System% directory using variable filenames such as:

antiv.exe
driver.exe
driverini.exe
drv.exe
expoler.exe
filexe.exe
hlp16.exe
lssas.exe
qname.exe
spoole.exe
swchost.exe
syshost.exe
systemchk.exe
systemini.exe
winchk.exe
winlog32.exe
winreg.exe

After the Sober Worm infects a computer, it retrieves email addresses from local files and stores them in the Media.dll.file. According to Symantec, it then uses its own SMTP engine to send itself to all the email addresses it finds. The subject in the email may be any of the following:

The email subject is one of the following:

Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Re: Kontakt
RE: Sex
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr gehört!
Re: lol
Viurs blockiert jeden PC (Vorsicht!)
Überraschung
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Back At The Funny Farm
Ich Liebe Dich
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
Now, it’s enough
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Re: Contact
RE: Sex
Sorry, I’ve become your mail
Hey man, long not see you
Viurs blocked every PC (Take care!)
Surprise
I’ve become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
I love you (I’m not a virus!)

The email also included an attachment. It could/could have been any of the following:

AntiVirusDoc.pif
Check-Patch.bat
Screen_Doku.scr
Removal-Tool.exe
Perversionen.scr
Bild.scr
robot_mail.scr
RobotMailer.com
Privat.exe
AntiTrojan.exe
Mausi.scr
NackiDei.com
Anti-Sob.bat
security.pif
Funny.scr
Liebe.com
Odin_Worm.exe
anti_virusdoc.pif
check-patch.bat
removal-tool.exe
screen_doc.scr
potency.pif
perversion.scr
pic.scr
CM-Recover.com
playme.exe
robot_mailer.pif
little-scr.scr
love.com
nacked.com
Hengst.pif
schnitzel.exe
anti-trojan.exe
NAV.pif
private.exe

To get rid of Sober Worm, Symantec recommends using the following steps or you should download the removal tool directly from the Symantec website or the official Windows website at www.microsoft.com.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Sober@mm.
5. Delete the values that were added to the registry.

Leave a Comment

Menu / Search

All About Worms