This will cover the Sober variant that goes by the name Sober.o@mm. It affects Win32 based systems, at its inception, it was a master piece. By the name it was a mass mailing email worm with its own SMTP engine, as all sober variants traditionally have. It would write into the HKLM registry hive, under the RUN key adding itself to that entry. From there it would harvest emails off of the local machine, if they were using Outlook or something similar of the sort skipping emails with these endings:
After it had its list, it would craft an ingenious portion of SE, to send to its victims.
- Re:Your email was blocked
- Re:mailing error
containing the message body of:
This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached
Attachment-Scanner: Status OK
AntiVirus: No Virus found
Server-AntiVirus: No Virus (Clean)
http:/ / www.[random domain]
When this was last active, it had affected an estimated 400,000 computers world wide, as the messages were in both german and english.
 Attached is the link to the symmantic website with a full tech work up of the finner points of the worm. https://www.symantec.com/security_response/writeup.jsp?docid=2005-050210-2339-99&tabid=2