FANDOM


This will cover the Sober variant that goes by the name Sober.o@mm. It affects Win32 based systems, at its inception, it was a master piece. By the name it was a mass mailing email worm with its own SMTP engine, as all sober variants traditionally have. It would write into the HKLM registry hive, under the RUN key adding itself to that entry. From there it would harvest emails off of the local machine, if they were using Outlook or something similar of the sort skipping emails with these endings:

-dav

.dial.

.kundenserver.

.ppp.

.qmail@

.sul.t-

@arin

@avp

@ca.

@example.

@foo.

@from.

@gmetref

@iana

@ikarus.

@kaspers

@messagelab

@nai.

@panda

@smtp.

@sophos

@www

abuse

announce

antivir

anyone

anywhere

bellcore.

bitdefender

clock

detection

domain.

emsisoft

ewido.

free-av

freeav

ftp.

gold-certs

google

host.

icrosoft.

ipt.aol

law2

linux

mailer-daemon

mozilla

mustermann@

nlpmail01.

noreply

nothing

ntp-

ntp.

ntp@

office

password

postmas

reciver@

secure

service

smtp-

somebody

someone

spybot

sql.

subscribe

support

t-dialin

t-ipconnect

test@

time

user@

variabel

verizon.

viren

virus

whatever@

whoever@

winrar

winzip

you@

yourname

After it had its list, it would craft an ingenious portion of SE, to send to its victims.

titled:

  • Re:Your email was blocked
  • Re:mailing error

containing the message body of:

This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached

Attachment-Scanner: Status OK

AntiVirus: No Virus found

Server-AntiVirus: No Virus (Clean)

http:/ / www.[random domain]

When this was last active, it had affected an estimated 400,000 computers world wide, as the messages were in both german and english.

[1] Attached is the link to the symmantic website with a full tech work up of the finner points of the worm. https://www.symantec.com/security_response/writeup.jsp?docid=2005-050210-2339-99&tabid=2