W32/Sober-Gen

The name W32/Sober-Gen is used where a file belongs to a particular family of worms, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Gen variant.

1. Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
   • update with the latest IDE files and
   • repeat the scan.


2. Please send us a sample to assist in improving our technology.
3. Use the instructions for removing generically detected files to delete the file from your computer.
4. If you require further assistance with disinfection, contact support.

Sophos Anti-Virus products detect members of the W32/Sober family as W32/Sober-Gen.

Members of the W32/Sober-Gen family are email worms that harvest email addresses from infected computers. Sophos Anti-Virus products detect members of the W32/Sober family as W32/Sober-Gen.

Members of the W32/Sober-Gen family are email worms that harvest email addresses from infected computers.

The worms typically send themselves as email attachments to addresses found in files with extensions such as:

PMR PHTM STM SLK INBOX IMB CSV BAK IMH XHTML IMM IMH CMS NWS VCF CTL DHTM CGI PP PPT MSG JSP OFT VBS UIN LDB ABC PST CFG MDW MBX MDX MDA ADP NAB FDB VAP DSP ADE SLN DSW MDE FRM BAS ADR CLS INI LDIF LOG MDB XML WSH TBB ABX ABD ADB PL RTF MMF DOC ODS NCH XLS NSF TXT WAB EML HLP MHT NFO PHP ASP SHTML DBX AERO COM COOP EDU GOV MUSEUM NAME INT NET ORG PRO INFO

Some variants also spread through Peer-to-peer applications such as KaZaA.

In order to run each time a user logs on, the worms typically create registry entries under the following:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<name>
"<path to worm>"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<name>
"<path to worm>"