Win32:Sober-H

(known also as Sober-I or even Sober-J) is an email worm. It spreads as an email attachment. The message is either in English or in German language.

Being executed, the Sober-H displays an error message. This feature might fool a user the program is damaged. Wowever the worm is running silently in background, creating a few files in the system directory – usually Windows\System or Windows\System32. There are two copies of the worm with random names. Both the copies are executed at the system start by the items in the:
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Run registry key.
The items are named randomly. The other created files are files clonzips.ssc, clsobern.isc, cvqaikxt.apk, dgssxy.yoi, nonzipsr.noz, odin-anon.ger, sb2run.dii, sysmms32.lla, winexerun.dal, winmprot.dal, winroot64.dal, winsend32.dal and zippedsr.piz . Those files are not executable.

The worm checks the internet connection by asking time query to few timeservers (NTP). If the queries succeed, the worm starts to send infected mails. The sender's address is faked. The recipient domain address part is used as the sender domain. The attachment can have one of the following extensions: .bat, .com, .pif, .scr, nebo .zip or doubled extension with the .zip as the second extension. After the January 5th, the worm tries to download and execute another program from the Internet.

avast! with VPS file dated on or after 19th November 2004 is able to detect this worm.

Viruses
Viruses in the Wild Virus Database History Virus Report Form Eicar Test File
Subscription Services
VPS Subscription Service
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  windows viruses  Win32:Sober-H