- Sober (computer worm)
The Sober worm is a family of
computer worm s that was discovered onOctober 24 ,2003 . Like many worms, Sober sends itself as ane-mail attachment .The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the Windows directory, depending on the variant. It then adds appropriate keys to the
Windows registry , along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.Sober is written in
Visual Basic and only runs on theMicrosoft Windows platform.Known variants
* Sober.L
* Sober.T
* Sober.XAliases
* CME-681
* WORM_SOBER.AG
* W32/Sober-{X-Z}
* Win32.Sober.W
* Win32.Sober.O
* Sober.Y (not a variant, but another name for Sober.X, often used byF-Secure )
* S32/Sober@MMIM681
* W32/Sober.AA@mmAffected platforms
*
Microsoft Windows family
**Windows 95
**Windows 98
**Windows NT
**Windows Me
**Windows 2000
**Windows XP
**Windows Server 2003 Actions
Infection
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the Windows directory: -
*antiv.exe
*csrss.exe
*driver.exe
*driverini.exe
*drv.exe
*expoler.exe
*filexe.exe
*hlp16.exe
*lssas.exe
*qname.exe
*services.exe
*smss.exe
*spoole.exe
*swchost.exe
*syshost.exe
*systemchk.exe
*systemini.exe
*winchk.exe
*winlog32.exe
*winreg.exeIt then adds appropriate keys to theWindows registry to ensure activation on Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.Spread
Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own
SMTP engine.Deactivation of security software
Sober can deactivate several popular
antivirus software packages, as well as Microsoft AntiSpyware andHijackThis .Outbreaks
#
October 24 ,2003 – First discovery
#March 3 ,2005 – Sober.L
#November 14 ,2005 – Sober.T
#November 15 ,2005 – Sober.X21 November 2005 outbreak
E-mails containing the Sober X worm were sent around the Internet disguised as an e-mail from either the
Federal Bureau of Investigation or theCentral Intelligence Agency , both organizations of theUnited States government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled, as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions asspyware by stealing personal information about the infected user.MessageLabs , a computer security company, caught at least three million copies within 24 hours after the breakout, andMcAfee , another system security research firm, reported over 70,000 cases of the virus on consumer computers.A similar e-mail circulated in Germany. Claiming to be sent by the
Bundeskriminalamt , the e-mail told its readers that they were caught downloading pirated software. Sober.X was included in an attachment.Political motivations
In May 2005, the variant Sober.Q appeared. Whereas previous variants appeared to be motivated by commercial gain or by malicious intent, this was the first to seem politically motivated.
It should be noted that other variants (such as Sober.B) sent e-mails with subject headers also indicated political intent, but these seemed to be designed to arouse the victim's interest, so that he or she would open the e-mail's attachment. Sober.Q does not send e-mails with attachments, instead preferring links to web sites with no viruses.
Sober.Q spread on computers to send messages of support for
far-right groups inGermany pending the local elections in the state ofNorth Rhine-Westphalia . Most appeared to be in support of, or directly from the German political party NPD (Nationalist Party of Germany) with links to their website, as well as other forum entries. It is, however, unknown whether this virus originated from the NPD themselves, supporters of the party, a hacker group trying to place the blame on the party or a group attempting to discredit the party.Similar to the above incident, the Sober virus was used again in 2005 by an unidentified German group to send out a widespread distribution of links to various political articles and commentaries. [ [http://www.msnbc.msn.com/id/7874164/ German political spam spread by virus] , By Bob Sullivan, msnbc, 5/16/05. ]
References
External links
* [http://www.f-secure.com/v-descs/sober_x.shtml Sober.X information page] at F-Secure
* [http://www.f-secure.com/v-descs/sober_t.shtml Sober.T information page] at F-Secure
* [http://www.sarc.com/avcenter/venc/data/w32.sober.x@mm.html Sober.X information page] at Symantec
* [http://www.symantec.com/avcenter/venc/data/w32.sober.l@mm.html Sober.L information page] at Symantec
* "." Wikinews,November 26 ,2005 .
* [http://securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html Symantec description of Sober series]
* [http://news.bbc.co.uk/1/hi/technology/4552197.stm BBC news article]
Wikimedia Foundation. 2010.