Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

Sober.C worm

By , About.com Guide

See More About:
Dec 22 2003
Sober.C is a mass-mailing email and filesharing worm that was discovered December 20, 2003. According to Alexey Podrezov of F-Secure Corporation, the worm sends e-mail messages with German and English texts. When sending its message to an e-mail address that has a domain suffix of DE, CH, AT, LI, NL or BE, the worm uses German text strings. Otherwise, it composes its message in English. As with its predecessors, Sober.B and Sober.A, Sober.C spreads using its own SMTP engine thus infected parties will not have tell-tale copies in their Sent folders. Sober.C collects addresses from a wide range of file types found on the system and uses those addresses to send itself to others.

Email examples

Sober.C selects from the following lists to compose its email:

Subject:

    ups, i've got your mail
    Sorry, that's your mail
    hi, its me
    Thank You very very much
    you are an idiot
    why me?
    I hate you
    Preliminary investigation were started
    Your IP was logged
    You use illegal File Sharing ...
    A Trojan horse is on your PC
    a trojan is on your computer!
    Anime, Pokemon, Manga, ...
    Betr: Klassentreffen
    Testen Sie ihren IQ
    Bankverbindungs- Daten
    Neuer Dialer Patch!
    Ermittlungsverfahren wurde eingeleitet
    Ihre IP wurde geloggt
    Sie sind ein Raubkopierer
    Sie tauschen illegal Dateien aus
    Ich hasse dich
    Ich zeige sie an!
    Sie Drohen mir!!
    Anime, Pokemon, Manga, Handy ...
    AnmeldebestStigung
    Neu! Legales Filesharing
    Umfrage: Rente erst mit 80!
    du wirst ausspioniert
    Ein Trojaner ist auf Ihrem Rechner!
    Du hast einen Trojaner drauf!
    Hi, Ich bin's

Attachment:

    www.iq4you-german-test.com
    www.freewantiv.com
    www.free4share4you.com
    www.onlinegamerspro-worm.com
    www.freegames4you-gzone.com
    www.anime4allfree.com
    www.animepage43252.com
    downloader.exe
    yourmail.txt
    yourmail.doc
    alledigis.bat
    alledigis.cmd
    alledigis.pif
    alledigis.scr
    alledigis.exe
    alledigis.com

Note that some of the filenames used attempt to trick the user into believing the attachement is a website address, when in fact it is a malicious .COM file.

Method of infection:
When Sober.C infects, it copies itself to the Windows\System folder as two random filenames.

The following keys are modified to automatically launch one of the above files when the system is rebooted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To remove the worm, use updated antivirus software to detect the infected worm files, deleting those and reversing the registry edits.

Related articles
Sober.A worm
Sober.B

Explore Antivirus Software
About.com Special Features

Holiday Central

What to eat, where to go, fun things to do and how to save money on the perfect gifts. More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.