1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

Sober.X Worm Description

By

Sober.X is a mass-mailing email worm that sends itself in either English or German depending on the recipient's domain. In addition to mass-mailing, Sober.X terminates processes related to various antivirus and security programs. Sober.X was first discovered on November 20, 2005.

The Sober.X worm has several aliases, including: CME-681, WORM_SOBER.AG, W32/Sober-X, Win32.Sober.W, Sober.Y, and W32/Sober@MM!M681

System Impact
Sober.X drops the following files to the specified folders:

    C:\Windows\WinSecurity\csrss.exe
    C:\Windows\WinSecurity\services.exe
    C:\Windows\WinSecurity\smss.exe
    C:\Windows\WinSecurity\socket1.ifo
    C:\Windows\WinSecurity\socket2.ifo
    C:\Windows\WinSecurity\socket3.ifo
    C:\Windows\WinSecurity\mssock1.dli
    C:\Windows\WinSecurity\mssock2.dli
    C:\Windows\WinSecurity\mssock3.dli

    C:\Windows\System32\bbvmwxxf.hml
    C:\Windows\System32\filesms.fms
    C:\Windows\System32\langeinf.lin
    C:\Windows\System32\nonrunso.ber
    C:\Windows\System32\rubezahl.rub
    C:\Windows\System32\runstop.rst

Sober.X modifies the System Registry in order to load a copy of itself when Windows is started:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_Windows = "%Windows%\WinSecurity\services.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows = "%Windows%\WinSecurity\services.exe"

Sober.X acts as a resuscitator, constantly checking for the presence of these keys and rewriting them if they are deleted. This can make manual removal of the worm difficult. Booting into Safe Mode stops this from occurring.

Email Characteristics
The email composed by the Sober.X worm uses scare tactics to trick recipients into opening the infected attachemnt. One of the more common emails sent claims to be from the CIA and the body of that email reads:

we have logged your IP-address on more than 30 illegal WEbsites. 
Important: 
Please answer our questions! 
The list of questions are attached. 

Yours faithfully, 
Steven Allison 

++++ Central Intelligence Agency -CIA- 
++++ Office of Public Affairs 
++++ Washington, D.C. 20505 

++++ phone: (703) 482-0623 
++++ 7:00 a.m. to 5:00 p.m., US Eastern time 

The phone number is actually authentic and it does ring up the public affairs office. A recording is now in place that alerts callers to the fictitious nature of the email and reassures them that the CIA is not recording their website visits.

Other Sober.X generated emails claim to be registration confirmations, mail delivery error messages or photos of Nicole Richie and Paris Hilton.

Removal Tips
Up-to-date antivirus software can detect and remove Sober.X. Manual removal can be accomplished by booting into Safe Mode, deleting the dropped files, and reversing the Registry changes made.

  1. About.com
  2. Technology
  3. Antivirus Software
  4. Malware Information
  5. Sober.X Worm Description

©2014 About.com. All rights reserved.