Name: Sober.I worm
Also known as: W32.Sober.I@mm WORM_SOBER.I (Trend) W32/Sober.j@MM (McAfee) Sober.H@mm (Norman) Trojan.Win32.VB.qa (AVP)
Type: Mass-mailing email worm that attempts to download and execute a remote file.
Discovered: November 19, 2004
Email characteristics: Sober.I is a mass-mailing email worm that sends itself in both German and English, depending on the infected users' operating system language. Sober.I uses is own SMTP engine to send itself to email address found on infected systems, spoofing the From address. Sober.I does not employ any exploits - the recipient must open the attachment in order to become infected.
System impact: Sober.I drops two copies of itself to the Windows System directory composing filenames using the following strings:
sys | host | dir | explorer | win | run | log | 32 | disc | crypt | data | diag | spool | service | smss32 | x Sober.I modifies the following registry keys, pointing to the aforementioned files in order to load when Windows is started:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Sober.I attempts to download a file and execute it.
Manual removal: Use updated antivirus software to detect and remove this threat.
