Sober (computer worm)

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, fake webpages, fake pop-up ads, and fake advertisements.

The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the Windows directory, depending on the variant. It then adds appropriate keys to the Windows registry, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.

Sober is written in Visual Basic and only runs on the Microsoft Windows platform.

Known variants

 * Sober.L
 * Sober.T
 * Sober.X
 * Sober.Y
 * Sober.Z

Aliases

 * CME-681
 * WORM_SOBER.AG
 * W32/Sober- {X-Z}
 * Win32.Sober.W
 * Win32.Sober.O
 * Sober.Y (not a variant, but another name for Sober.X, often used by F-Secure)
 * S32/Sober@MMIM681
 * W32/Sober.AA@mm

Affected platforms

 * Microsoft Windows family
 * Windows 95
 * Windows 98
 * Windows NT
 * Windows Me
 * Windows 2000
 * Windows XP
 * Windows Server 2003

Infection
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the Windows directory: - It then adds appropriate keys to the Windows registry to ensure activation on Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.
 * antiv.exe
 * csrss.exe
 * driver.exe
 * driverini.exe
 * drv.exe
 * explorer.exe
 * filexe.exe
 * hlp16.exe
 * lssas.exe
 * qname.exe
 * services.exe
 * smss.exe
 * spoole.exe
 * swchost.exe
 * syshost.exe
 * systemchk.exe
 * systemini.exe
 * winchk.exe
 * winlog32.exe
 * winreg.exe

Spread
Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own SMTP engine.

Deactivation of security software
Sober can deactivate several popular antivirus software packages, as well as Microsoft AntiSpyware and HijackThis.

Outbreaks

 * 1) October 24, 2003 – First discovery
 * 2) March 3, 2005 – Sober.L
 * 3) November 14, 2005 – Sober.T
 * 4) November 15, 2005 – Sober.X

21 November 2005 outbreak
E-mails containing the Sober X worm were sent around the Internet disguised as an e-mail from either the Federal Bureau of Investigation or the Central Intelligence Agency, both organizations of the United States government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled, as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions as spyware by stealing personal information about the infected user.

MessageLabs, a computer security company, caught at least three million copies within 24 hours after the breakout, and McAfee, another system security research firm, reported over 70,000 cases of the virus on consumer computers.

A similar e-mail circulated in Germany. Claiming to be sent by the Bundeskriminalamt, the e-mail told its readers that they were caught downloading "pirated" software. Sober.X was included in an attachment.

Political motivations
In May 2005, the variant Sober.Q appeared. Whereas previous variants appeared to be motivated by commercial gain or by malicious intent, this was the first to seem politically motivated.

Other variants (such as Sober.B) sent e-mails with subject headers also indicated political intent, but these seemed to be designed to arouse the victim's interest, so that he or she would open the e-mail's attachment. Sober.Q does not send e-mails with attachments, instead preferring links to web sites with no viruses.

Sober.Q spread on computers to send messages of support for far-right groups in Germany pending the local elections in the state of North Rhine-Westphalia. Most appeared to be in support of, or directly from the German political party NPD (Nationalist Party of Germany) with links to their website, as well as other forum entries. It is, however, unknown whether this virus originated from the NPD themselves, supporters of the party, a hacker group trying to place the blame on the party or a group attempting to discredit the party.

Similar to the above incident, the Sober virus was used again in 2005 by an unidentified German group to send out a widespread distribution of links to various political articles and commentaries. The effort seemed to be linked to German elections around the same time period.