Sober (computer worm)

Sober (computer worm)

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment.

The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the Windows directory, depending on the variant. It then adds appropriate keys to the Windows registry, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.

Sober is written in Visual Basic and only runs on the Microsoft Windows platform.

Known variants

* Sober.L
* Sober.T
* Sober.X

Aliases

* CME-681
* WORM_SOBER.AG
* W32/Sober-{X-Z}
* Win32.Sober.W
* Win32.Sober.O
* Sober.Y (not a variant, but another name for Sober.X, often used by F-Secure)
* S32/Sober@MMIM681
* W32/Sober.AA@mm

Affected platforms

* Microsoft Windows family
** Windows 95
** Windows 98
** Windows NT
** Windows Me
** Windows 2000
** Windows XP
** Windows Server 2003

Actions

Infection

The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the Windows directory: -
*antiv.exe
*csrss.exe
*driver.exe
*driverini.exe
*drv.exe
*expoler.exe
*filexe.exe
*hlp16.exe
*lssas.exe
*qname.exe
*services.exe
*smss.exe
*spoole.exe
*swchost.exe
*syshost.exe
*systemchk.exe
*systemini.exe
*winchk.exe
*winlog32.exe
*winreg.exeIt then adds appropriate keys to the Windows registry to ensure activation on Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.

Spread

Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own SMTP engine.

Deactivation of security software

Sober can deactivate several popular antivirus software packages, as well as Microsoft AntiSpyware and HijackThis.

Outbreaks

# October 24, 2003 – First discovery
# March 3, 2005 – Sober.L
# November 14, 2005 – Sober.T
# November 15, 2005 – Sober.X

21 November 2005 outbreak

E-mails containing the Sober X worm were sent around the Internet disguised as an e-mail from either the Federal Bureau of Investigation or the Central Intelligence Agency, both organizations of the United States government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled, as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions as spyware by stealing personal information about the infected user.

MessageLabs, a computer security company, caught at least three million copies within 24 hours after the breakout, and McAfee, another system security research firm, reported over 70,000 cases of the virus on consumer computers.

A similar e-mail circulated in Germany. Claiming to be sent by the Bundeskriminalamt, the e-mail told its readers that they were caught downloading pirated software. Sober.X was included in an attachment.

Political motivations

In May 2005, the variant Sober.Q appeared. Whereas previous variants appeared to be motivated by commercial gain or by malicious intent, this was the first to seem politically motivated.

It should be noted that other variants (such as Sober.B) sent e-mails with subject headers also indicated political intent, but these seemed to be designed to arouse the victim's interest, so that he or she would open the e-mail's attachment. Sober.Q does not send e-mails with attachments, instead preferring links to web sites with no viruses.

Sober.Q spread on computers to send messages of support for far-right groups in Germany pending the local elections in the state of North Rhine-Westphalia. Most appeared to be in support of, or directly from the German political party NPD (Nationalist Party of Germany) with links to their website, as well as other forum entries. It is, however, unknown whether this virus originated from the NPD themselves, supporters of the party, a hacker group trying to place the blame on the party or a group attempting to discredit the party.

Similar to the above incident, the Sober virus was used again in 2005 by an unidentified German group to send out a widespread distribution of links to various political articles and commentaries. [ [http://www.msnbc.msn.com/id/7874164/ German political spam spread by virus] , By Bob Sullivan, msnbc, 5/16/05. ]

References

External links

* [http://www.f-secure.com/v-descs/sober_x.shtml Sober.X information page] at F-Secure
* [http://www.f-secure.com/v-descs/sober_t.shtml Sober.T information page] at F-Secure
* [http://www.sarc.com/avcenter/venc/data/w32.sober.x@mm.html Sober.X information page] at Symantec
* [http://www.symantec.com/avcenter/venc/data/w32.sober.l@mm.html Sober.L information page] at Symantec
* "." Wikinews, November 26, 2005.
* [http://securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html Symantec description of Sober series]
* [http://news.bbc.co.uk/1/hi/technology/4552197.stm BBC news article]


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Sober — may refer to:Biology* Sobriety, the state of being sober, and not under the influence of alcohol or other drugsComputers* Sober, a variety of computer worm * SOBER (cipher), a family of synchronous stream ciphers * SOBER 128, a synchronous stream …   Wikipedia

  • Computer security — This article is about computer security through design and engineering. For computer security exploits and defenses, see computer insecurity. Computer security Secure operating systems Security architecture Security by design Secure coding …   Wikipedia

  • Timeline of computer viruses and worms — Contents 1 1960–1969 1.1 1966 2 1970–1979 2.1 1 …   Wikipedia

  • Timeline of notable computer viruses and worms — This is a timeline of noteworthy computer viruses and worms.1970 1979Early 1970s* Creeper virus was detected on ARPANET infecting the Tenex operating system. Creeper gained access independently through a modem and copied itself to the remote… …   Wikipedia

  • Хронология компьютерных вирусов и червей — Здесь приведён хронологический список появления некоторых известных компьютерных вирусов и червей, а также событий, оказавших серьёзное влияние на их развитие. Содержание 1 2012 2 2011 3 2010 4 2009 …   Википедия

  • E-mail spoofing — is a term used to describe fraudulent e mail activity in which the sender address and other parts of the e mail header are altered to appear as though the e mail originated from a different source. E mail spoofing is a technique commonly used for …   Wikipedia

  • literature — /lit euhr euh cheuhr, choor , li treuh /, n. 1. writings in which expression and form, in connection with ideas of permanent and universal interest, are characteristic or essential features, as poetry, novels, history, biography, and essays. 2.… …   Universalium

  • Computerwürmer — Ein Computerwurm ist ein Computerprogramm, das sich über Computernetzwerke verbreitet und dafür so genannte „höhere Ressourcen“, wie eine Wirtsapplikation, Netzwerkdienste oder eine Benutzerinteraktion benötigt. Es verbreitet sich zum Beispiel… …   Deutsch Wikipedia

  • Internetwurm — Ein Computerwurm ist ein Computerprogramm, das sich über Computernetzwerke verbreitet und dafür so genannte „höhere Ressourcen“, wie eine Wirtsapplikation, Netzwerkdienste oder eine Benutzerinteraktion benötigt. Es verbreitet sich zum Beispiel… …   Deutsch Wikipedia

  • Morris-Wurm — Ein Computerwurm ist ein Computerprogramm, das sich über Computernetzwerke verbreitet und dafür so genannte „höhere Ressourcen“, wie eine Wirtsapplikation, Netzwerkdienste oder eine Benutzerinteraktion benötigt. Es verbreitet sich zum Beispiel… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”