Sober | |
---|---|
Type | Mass mailer worm |
Creator | |
Date Discovered | 2003.10.24 |
Place of Origin | Germany |
Source Language | Basic |
Platform | MS Windows |
File Type(s) | bat, .com, .exe, .pif, .scr |
Infection Length | |
Reported Costs |
Sober is an email worm with many variants. The original Sober worm and most of its variants appear to do little other than spread, with no malicious payload. However, some variants attempt to download potentially malicious files.
Behavior
Sober arrives in an email that could have more than 35 different subject lines, which can be in English or German. It may also have many different message bodies and attachment file names. The subjects and bodies can be on a wide variety of topics such as sex, love, and even computer virus warnings.
When Sober is run it displays a fake error message and copies itself as Similare.exe to the system folder. It creates several other copies of itself in the same directory with variable file names, which include:
- antiv.exe
- driver.exe
- driverini.exe
- drv.exe
- expoler.exe
- filexe.exe
- hlp16.exe
- lssas.exe
- qname.exe
- spoole.exe
- swchost.exe
- syshost.exe
- systemchk.exe
- systemini.exe
- winchk.exe
- winlog32.exe
- winreg.exe
It then adds a value to the current user and local machine registry keys, which causes one of those files to run when Windows starts.
It then creates the file Media.dll, in the \Macromed\Help\ folder, a subdirectory of the system folder, where it stores email addresses that it retrieves from local files. It then mails itself using its own SMTP engine to all of the found email addresses.
Variants
Sober.X, Y or Z (virus/worm experts do not always agree on variant numbers and letters, especially when there are enough variants to go that far into the alphabet) instructs computers to download unknown files from 14 different websites on 2006.01.05. As the worm generates some of its email messages in German, and that date is significant because it coincides with the founding of the Nazi party in 1919 as well as the start of a major political convention in Germany, it has been speculated that Sober (or at least this variant) was created for political reasons.
Sources
Yana Liu. Symantec.com, "W32.Sober@mm'
Keith Regan. Tech News World, "Security Firms Warn of Looming Sober Worm Threat" 2005.12.09