Sober (computer worm)
From Wikipedia, the free encyclopedia
The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment.
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the Windows directory, depending on the variant. It then adds appropriate keys to the Windows registry, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.
Sober is written in Visual Basic and only runs on the Microsoft Windows platform.
Contents |
[edit] Known variants
- Sober.L
- Sober.T
- Sober.X
[edit] Aliases
- CME-681
- WORM_SOBER.AG
- W32/Sober-{X-Z}
- Win32.Sober.W
- Sober.Y (not a variant, but another name for Sober.X, often used by F-Secure)
- S32/Sober@MMIM681
- W32/Sober.AA@mm
[edit] Affected platforms
- Microsoft Windows family
[edit] Actions
[edit] Infection
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the Windows directory: -
- antiv.exe
- csrss.exe
- driver.exe
- driverini.exe
- drv.exe
- expoler.exe
- filexe.exe
- hlp16.exe
- lssas.exe
- qname.exe
- services.exe
- smss.exe
- spoole.exe
- swchost.exe
- syshost.exe
- systemchk.exe
- systemini.exe
- winchk.exe
- winlog32.exe
- winreg.exe
It then adds appropriate keys to the Windows registry to ensure activation on Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.
[edit] Spread
Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own SMTP engine.
[edit] Deactivation of security software
Sober can deactivate several popular antivirus software packages, as well as Microsoft AntiSpyware and HijackThis.
[edit] Outbreaks
- October 24, 2003 – First discovery
- March 3, 2005 – Sober.L
- November 14, 2005 – Sober.T
- November 15, 2005 – Sober.X
[edit] 21 November 2005 outbreak
E-mails containing the Sober X worm were sent around the Internet disguised as an e-mail from either the Federal Bureau of Investigation or the Central Intelligence Agency, both organizations of the United States government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled, as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions as spyware by stealing personal information about the infected user.
MessageLabs, a computer security company, caught at least three million copies within 24 hours after the breakout, and McAfee, another system security research firm, reported over 70,000 cases of the virus on consumer computers.
A similar e-mail circulated in Germany. Claiming to be sent by the Bundeskriminalamt, the e-mail told its readers that they were caught downloading pirated software. Sober.X was included in an attachment.
[edit] Political motivations
In May 2005, the variant Sober.Q appeared. Whereas previous variants appeared to be motivated by commercial gain or by malicious intent, this was the first to seem politically motivated.
It should be noted that other variants (such as Sober.B) sent e-mails with subject headers also indicated political intent, but these seemed to be designed to arouse the victim's interest, so that he or she would open the e-mail's attachment. Sober.Q does not send e-mails with attachments, instead preferring links to web sites with no viruses.
Sober.Q spread on computers to send messages of support for far-right groups in Germany pending the local elections in the state of North-Rhine Westphalia. Most appeared to be in support of, or directly from the German political party NPD (Nationalist Party of Germany) with links to their website, as well as other forum entries. It is, however, unknown whether this virus originated from the NPD themselves, supporters of the party, a hacker group trying to place the blame on the party or a group attempting to discredit the party.
[edit] External links
- Sober.X information page at F-Secure
- Sober.T information page at F-Secure
- Sober.X information page at Symantec
- Sober.L information page at Symantec
- "Internet virus circulates disguised as e-mail from US government." Wikinews, November 26, 2005.
- Symantec description of Sober series
- BBC news article