Malware type: Worm

Aliases: Email-Worm.Win32.Sober.v (Kaspersky), W32/Sober.u.dr (McAfee), W32.Sober.S@mm (Symantec), DR/Sober.X (Avira), W32/Sober-R (Sophos), Worm:Win32/Sober.X@mm.dr (Microsoft)

In the wild: Yes

Destructive: Yes

Language: English, German

Platform: 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

Malware Overview

This worm propagates via email messages. It uses its own Simple Mail Transfer Protocol (SMTP) engine to send a copy of itself as an attachment to target email addresses. The said routine ensures that this worm is not dependent on any application installed on the system to perform its mailing routine. This also ensures that the mailing routine remains transparent to the user, such that affected users may not be aware that email messages are being sent from their machines.

The email messages that it sends contain any of the following details:

From: {Email address generated by this worm}

Subject: Thanks for your registration.

Message body: Your data are saved in the zipped Word.doc file!

Attachment: registration.zip

From: {Email address generated by this worm}

Subject: I've got your email on my account

Message body:

First, my English is very bad! Sorry about this.

Ok, I've got an email in my box, but this email is not for me, because, I'm not the recipient! The recipient are you!

This must be an email-provider error, but I don't know!

I have made a Screenshot about this mail and saved then in a zipped jpeg file for you.

ok then,

Bye

Attachment: email_photo.zip

From: {Email address generated by this worm}

Subject: Thanks for your registration

Message body:

Thanks for your registration!
We have received your payment.

For more detailed information, read
the attached text.

Attachment: reg_text.zip

From: {Email address generated by this worm}

Subject: Your email

Message body:

Hello,

Sorry, sorry sorry, because,, my English is
not the best!

ok, I've got an email with an Excel-Table.
But I am not the recipient, the recipient are
you!

I think, it's an mail error!
OK, here is your table back!

cya....

Attachment: execl_table.zip

This worm also sends email messages in German when it obtains an email address that has either the text GMX as the domain or DE as the email extension. The said domain name is a German mail service while the said email extension name is the country code for Germany.

It gathers the said addresses from files with certain extensions. Most of the files with the said extensions are related to the Web pages visited by an affected user. This worm gathers these types of files under the assumption that visited Web pages may contain text strings that refer to email addresses.

It drops a number of files, which aid its mass-mailing routine. The said routine consumes bandwidth that can slow down an affected network's processes.

This worm also displays any of the following fake error messages in order to trick the user into thinking that it fails to execute:

Moreover, on systems running Windows XP Service Pack 2, this worm prevents the affected system from connecting to a network. The said action greatly limits the system's capabilities and further renders the said system vulnerable to this worm's malicious routines.

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 14, 2005 11:31:32 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.