Sober.X is a mass-mailing email worm that sends itself in either English or German depending on the recipient's domain. In addition to mass-mailing, Sober.X terminates processes related to various antivirus and security programs. Sober.X was first discovered on November 20, 2005.
The Sober.X worm has several aliases, including: CME-681, WORM_SOBER.AG, W32/Sober-X, Win32.Sober.W, Sober.Y, and W32/Sober@MM!M681
Sober.X drops the following files to the specified folders:
Sober.X modifies the System Registry in order to load a copy of itself when Windows is started:
_Windows = "%Windows%\WinSecurity\services.exe"
Windows = "%Windows%\WinSecurity\services.exe"
Sober.X acts as a resuscitator, constantly checking for the presence of these keys and rewriting them if they are deleted. This can make manual removal of the worm difficult. Booting into Safe Mode stops this from occurring.
The email composed by the Sober.X worm uses scare tactics to trick recipients into opening the infected attachemnt. One of the more common emails sent claims to be from the CIA and the body of that email reads:
we have logged your IP-address on more than 30 illegal WEbsites. Important: Please answer our questions! The list of questions are attached. Yours faithfully, Steven Allison ++++ Central Intelligence Agency -CIA- ++++ Office of Public Affairs ++++ Washington, D.C. 20505 ++++ phone: (703) 482-0623 ++++ 7:00 a.m. to 5:00 p.m., US Eastern time
The phone number is actually authentic and it does ring up the public affairs office. A recording is now in place that alerts callers to the fictitious nature of the email and reassures them that the CIA is not recording their website visits.
Other Sober.X generated emails claim to be registration confirmations, mail delivery error messages or photos of Nicole Richie and Paris Hilton.
Up-to-date antivirus software can detect and remove Sober.X. Manual removal can be accomplished by booting into Safe Mode, deleting the dropped files, and reversing the Registry changes made.