FANDOM


Sober
Type Mass mailer worm
Creator
Date Discovered 2003.10.24
Place of Origin Germany ?
Source Language Basic
Platform MS Windows
File Type(s) .bat, .com, .exe, .pif, .scr
Reported Costs

Sober is an email worm with many variants. The original Sober worm and most of its variants appear to do little other than spread, with no malicious payload.

Behavior

Sober arrives in an email that could have more than 35 different subject lines, which can be in English or German. It may also have many different message bodies and attachment file names. The subjects and bodies can be on a wide variety of topics such as sex, love, and even computer virus warnings.

When Sober is run it displays a fake error message and copies itself as Similare.exe to the system folder. It creates several other copies of itself in the same directory with variable file names, which include:

  • antiv.exe
  • driver.exe
  • driverini.exe
  • drv.exe
  • expoler.exe
  • filexe.exe
  • hlp16.exe
  • lssas.exe
  • qname.exe
  • spoole.exe
  • swchost.exe
  • syshost.exe
  • systemchk.exe
  • systemini.exe
  • winchk.exe
  • winlog32.exe
  • winreg.exe

It then adds a value to the current user and local machine registry keys, which causes one of those files to run when Windows starts.

It then creates the file Media.dll, in the \Macromed\Help\ folder, a subdirectory of the system folder, where it stores email addresses that it retrieves from local files. It then mails itself using its own SMTP engine to all of the found email addresses.

Variants

Sober.X, Y or Z (virus/worm experts do not always agree on variant numbers and letters, especially when there are enough variants to go that far into the alphabet) instructs computers to download unknown files from 14 different websites on 2006.01.05. As the worm generates some of its email messages in German, and that date is significant because it coincides with the founding of the Nazi party in 1919 as well as the start of a major political convention in Germany, it has been speculated that Sober (or at least this variant) was created for political reasons.

Sources

Yana Liu. Symantec.com, "W32.Sober@mm'

Keith Regan. Tech News World, "Security Firms Warn of Looming Sober Worm Threat" 2005.12.09

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.