The Sober.F email carries either a .pif or .zip attachment. By default, Windows suppresses the file extension for executable types. Visit the File Extension Center for steps on enabling file extension viewing for all file types.
Sober.F uses its own SMTP engine to spread, creating a From address based on certain hard-coded criteria found in the worm's code which is sometimes combined with usernames found on the infected user's system.
Sober.F copies itself to the Windows system directory as an .EXE file, using a randomly generated filename created from combining elements from the following list:
- 32
crypt
data
diag
dir
disc
explorer
host
log
run
service
smss32
spool
sys
win
Sober.F modifies the registry to allow the worm to load when Windows is started:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
%random% = %winsysdir%\%random%.exe
and also adds the value:
%random% = %winsysdir%\%random%.exe %1
to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce registry key.
Sober.F drops the following files to the Windows System directory:
- bcegfds.lll
spoofed_recips.ocx
syst32win.dll
winhex32xx.wrm
winsys32xx.zzp
zmndpgwf.kxx
Sober.F then attempts to access the Internet, connecting to a remote website to download another file and execute it.
If the infected user has a dial-up connection, the following error may be displayed:
- Microsoft Windows
STOP: 0x80070725 {FatalSystemError}
System File [filename].exe
Connection lost or blocked by Firewall
Sober.F searches through an exhaustive list of file types found on all fixed drives harvesting email addresses which are then used by the worm to send itself to others. The harvested addresses are stored in the syst32win.dll file previously dropped to the Windows system directory.
Next page: Sober.F email characteristics

