The Sober worm compiles its message using a variety of possible subject lines, message bodies, and attachment names. According to antivirus vendor Symantec, attachment names may be one of the following: anti_virusdoc.pif, Anti-Sob.bat, AntiTrojan.exe, anti-trojan.exe, AntiVirusDoc.pif, Bild.scr, Check-Patch.bat, check-patch.bat, CM-Recover.com, Funny.scr, Hengst.pif, Liebe.com, little-scr.scr, love.com, Mausi.scr, nacked.com, NackiDei.com, NAV.pif, Odin_Worm.exe, perversion.scr, Perversionen.scr, pic.scr, playme.exe, potency.pif, Privat.exe, Removal-Tool.exe, removal-tool.exe, robot_mail.scr, robot_mailer.pif, RobotMailer.com, schnitzel.exe, screen_doc.scr, Screen_Doku.scr, or security.pif
Following are examples of some of the English versions of the Sober worm emails:
--------------------------------
Subject: New internet virus!
Kaspersky Lab Int. and Norton Anti Virus have found a new typ of worm.
He calls itself "ODIN" and he is very variable!
The worm hides in the screen saver.
Read the -screen_doc- documentation and you will be able to
find and kill this virus!
--------------------------------
Subject: You have sent me a virus!
I permanently get Spam-Mails from you and inside is a virus!!
You should remove these thing.
Read the document, before another or my mailbox explode!
Yours sincerely:
--------------------------------
Subject: I've become your mail!
I've become 11 times your mails!
Or, you have send me this mails, without your knowing!
Is that true, you have probably a problem with your Com-Port!
I've send you a recover tool, to fix this problem.
Greets from:
--------------------------------
Not all versions of the email pretend to be about viruses or recovery tools. For example:
--------------------------------
Subject: Advise who I am!
I have a new fake mail name!
This was not my idea!
You'll never check who I am!!
That's toooooo hard for you...
De-Crypt the picture mystery and ...
--------------------------------
Subject: Hi darling, what are you doing now?
Sorry :-) it's late,, I know,, but I`ve a new mail adress.
I've got my own screen saver;; with me!
Other say, it`s nice, but,,... see self.
Ok then, see you soon.
In Love:
--------------------------------
Fridrik Skulason, Founder and CTO of FRISK Software International, noted that "Despite typos and everything, some people seem to be falling for (the Sober worm email)" and noted that the worm appeared to be gaining momentum. (FRISK Software develops the popular F-Prot Antivirus and also supplies its antivirus engine to other vendors such as F-Secure and Authentium (formerly Command Software). F-Prot Antivirus is a 2003 Top Pick).
Files dropped by the worm vary, but may include three of the following dropped to the Windows\System folder:
- drv.exe
filexe.exe
similare.exe
systemchk.exe
winreg.exe
The following keys are modified to automatically launch one of the above files when the system is rebooted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Antivirus software updated on or after October 24, 2003 should be capable of detecting and removing this worm. Manual removal will require first establishing which files were dropped to the system and then deleting those files and removing the registry edits associated with them.
