Sober Sings the Praises of Sobig

Kaspersky Labs, a leading expert in data security software development, warns about the start of a virus epidemic from the Sober Internet worm. Sober was first detected this past Saturday, but is now observed surging in activity in connection with the beginning of the workweek.

Sober is a classic Internet worm that spreads via e-mail. Infected e-mail messages can have various body texts in English and in German; additionally the infected file attachment can have one of several file extensions (PIF, BAT, SCR, COM, EXE). All of this makes it significantly more difficult to identify from outside appearances.

Example of a message infected with the Sober:

Subject:
New Sobig-Worm variation (please read)

Message body text:
New Sobig variation in the net.
You must change any settings before the worm control your computer!
But, read the official statement from Norton Anti Virus!

Attachment name:
NAV.pif

If the infected attachment is mistakenly opened the Sober worm is activated and proceeds to display a false error message:

File not complete!

Using different file names, Sober creates three copies of itself in the Windows system directory, and registers these copies in the system registry's auto-run key. Next, the worm launches its spreading routine in which Sober first searches victim computers for files that may contain e-mail addresses (such as HTML, WAB, EML, PST, etc. file types), and then clandestinely, under the guise of the computer owner, sends itself out to the e-mail addresses found.

The worm's body contains text strings in which its author expresses his admiration for the creator of another network worm, Sobig.

The defense against Sober has already been added to the Kaspersky Anti-Virus database. More detailed information about this malicious program can be found in the Kaspersky Virus Encyclopedia.