Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sober.A

I-Worm.Sober, W32.Sober

Win32/Sober.A is a worm spreading as a file in an attachment of electronic mail messages. The compressed worm has a length of approximately 63 Kb. Its length after being decompressed is 237 Kb. It operates in Windows 95 or newer versions of Windows operating system.

Win32/Sober.A arrives with a message having subject randomly chosen from following list:

Neuer Virus im Umlauf!
Back At The Funny Farm
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so
VORSICHT!!! Neuer Mail Wurm
Re: Kontakt
RE: Sex
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr gehört!
Re: lol
Viurs blockiert jeden PC (Vorsicht!)
Überraschung>Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Ich Liebe Dich
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Re: Contact
Sorry, I've become your mail
Hey man, long not see you
Viurs blocked every PC (Take care!)
Surprise,I've become your mail! Advise who I am!
New Sobig-Worm variation (please read)
I love you (I'm not a virus!)
I permanently get Spam-Mails from you and inside is a virus!!
You should remove these thing

The text of the body is chosen from number of predefined strings in German or English language. These strings are contained in the body of the worm a are freely visible after the file is decompressed.
The copy of the worm is attached to the e-mail message while the name of the file in the attachment is chosen from following list.

AntiVirusDoc.pif
Check-Patch.bat
Screen_Doku.scr
Removal-Tool.exe
Perversionen.scr
Bild.scr
Mausi.scr
NackiDei.com
Anti-Sob.bat
Liebe.com
security.pif
Funny.scr
Odin_Worm.exe
check-patch.bat
anti_virusdoc.pif
Hengst.pif
perversion.scr
pic.scr
CM-recover.com
playme.exe
robot_mailer.pif
private.exe
anti-trojan.exe
little-scr.scr
love.com
nacked.com
schnitzel.exe
anti-Sob.bat
AntiTrojan.exe
NAV.pif
funny.scr

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm is activated after the file in the attachment of the message is run. The window with the fake error message is displayed.

The worm creates the file with its copy in the %system% directory. This file can have different names, e.g. artiv.exe, sy-?O?T.exe or similare.exe. The length of these files is 63488 bytes. The worm assures the activation of its copy after restarting the operation system by creating an item syspath in the system registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run setting the item's value to its copy in the directory %system%.

Win32/Sober.A acquires the addresses for its spreading via e-mail from files located on the hard drive. It saves these addresses in the Media.dll file located in the subdirectory Macromed\Help in the directory %system%.

NOD32 detects the worm Win32/Sober.A using extended heuristics without upgrading. The detection of Win32/Sober.A using sample is added from version 1.542.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.