Sober.I worm

Sober.I wormW32.Sober.I@mm WORM_SOBER.I (Trend) W32/Sober.j@MM (McAfee) Sober.H@mm (Norman) Trojan.Win32.VB.qa (AVP)Mass-mailing email worm that attempts to download and execute a remote file.November 19, 2004Sober.I is a mass-mailing email worm that sends itself in both German and English, depending on the infected users' operating system language. Sober.I uses is own SMTP engine to send itself to email address found on infected systems, spoofing the From address. Sober.I does not employ any exploits - the recipient must open the attachment in order to become infected.Sober.I drops two copies of itself to the Windows System directory composing filenames using the following strings:

sys | host | dir | explorer | win | run | log | 32 | disc | crypt | data | diag | spool | service | smss32 | x Sober.I modifies the following registry keys, pointing to the aforementioned files in order to load when Windows is started:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSober.I attempts to download a file and execute it.

Use updated antivirus software to detect and remove this threat.
Symantec description
Sophos description
Trend Micro description
McAfee description