W32/Sober-A

Aliases	I-Worm.Sober Win32/Sober.A W32.Sober@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	27 October 2003 05:43:40 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Sober-A.

More Information

Summary
Action
More Information

W32/Sober-A is an email worm with the following characteristics:

Subject line chosen from:
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
Now, its enough
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Re: Contact
RE: Sex
Sorry, Ive become your mail
Hey man, long not see you
Re: lol
Viurs blocked every PC (Take care!)
Surprise
Ive become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
Back At The Funny Farm
I love you (Im not a virus!)
Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Re: Kontakt
RE: Sex
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr geh
Re: lol
Viurs blockiert jeden PC (Vorsicht!)
_berraschung
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Back At The Funny Farm
Ich Liebe Dich

Message text (if the internet domain of the recipient is de, li, at or ch the worm creates a message in German, otherwise the message and subject lines are in English. A message in English may contain one of the following, depending on the subject line and the attached file name):

"Congratulations!! Your Sobig Worms are very good!!!
You are a very good programmer!
Yours faithfully
Odin alias Anon"

"Kaspersky Lab Int. and Norton Anti Virus have found a new typ of worm.
He calls itself "ODIN" and he is very variable!
The worm hides in the screen saver.
Read the -screen_doc- documentation and you will be able to
find and kill this virus!",

"I permanently get Spam-Mails from you and inside is a virus!!
You should remove these thing.
Sorry, but the ODIN Worm is probably on your computer!
You should check this with the patch application.

See you soon",

"Automatic Mail notification: Robot-System__#<number>#

Answer = complete %Error% occured%
Answer transferred in attachement -Access*",

"Or are you put under stress?
I,, I put only under stress,,, every sec, min, hour, day,.....
You see, I've an another mail-name!
But, it's too dangerous to say it,, here in the internet.
Every can read my problems! Use the attach.,
the password is your birthday.

See you soon!",

"Sorry :-) it's late,, I know,, but I`ve a new mail adress.
I've got my own screen saver;; with me!
Other say, it`s nice, but,,... see self.
Ok ok ,, I'm nacked in this pic, but, it is a work of art!
Yaya I know i know!",

"I hope you know of me!
When not, please delete this mail!",

"New Sobig variation in the net.
Save yourself with the patch before it's too late!
The new Sobig is very dangerous!",

"Actually, this bastardos have installed a trojan on my computer!
And now, I'm here,.,. I've tell you something about the..
No, not here, I'll to report you,, next days!
But before, you must check your system. Trojan are everywhere!!!
Check first your system with the tool.
see ya",

"You must change any settings before the worm control your computer!
But, read the official statement from Norton Anti Virus!",

"Sorry, but the ODIN Worm is probably on your computer!
You should check this with the patch application.
See you soon",

"Kaspersky Lab Int. and Norton Anti Virus have found a new typ of worm.
He calls itself and he is very variable!
This mail was spread with this Worm, too. BUT, the attachement is a AntiVirus!!",

"Automatic Mail notification: Robot-System__#<number>#
WHEN YOU CAN NOT READ THIS MAIL ATTACH.,
PLEASE REPORT US THIS ERROR.",

Attached file chosen from:
anti-Sob.bat
Anti-Sob.bat
anti-trojan.exe
anti_virusdoc.pif
AntiTrojan.exe
AntiVirusDoc.pif
Bild.scr
check-patch.bat
Check-Patch.bat
CM-recover.com
CM-Recover.com
funny.scr
Funny.scr
Hengst.pif
Liebe.com
little-scr.scr
love.com
Mausi.scr
nacked.com
NackiDei.com
Odin_Worm.exe
perversion.scr
Perversionen.scr
pic.scr
playme.exe
potency.pif
Privat.exe
private.exe
removal-tool.exe
Removal-Tool.exe
robot_mail.scr
robot_mailer.pif
RobotMailer.com
schnitzel.exe
screen_doc.scr
Screen_Doku.scr
security.pif

W32/Sober-A creates three copies of itself in the Windows system folder. One of the filenames is always similare.exe and other two filenames are randomly chosen (e.g. systemchk.exe, systemini.exe).

W32/Sober-A adds a filename to the following registry entry so that the worm runs when you logon to your computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

W32/Sober-A creates the following file underneath the Windows system folder: Macromed\Help\Media.dll

This file contains email addresses collected from the system. It is not malicious and can be deleted.

W32/Sober-A employs a technique which will cause the virus to be restarted if its process is terminated.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sober-A

Summary

Action

More Information