New Sober on the loose in Europe

19 Nov 2004
Virus News

Kaspersky Lab, a leading secure content management software developer, has detected Sober.i, a new version of a dangerous Internet worm. Sober.i is a classic email worm except for its inbuilt ability to download other files from remote servers. The Kaspersky Virus Lab is receiving numerous notifications about the worm from Western Europe.

In most respects, Sober.i behaves like a typical email worm. Sober.i is activated only if the recipient opens the infected attachment. Once launched, Sober displays a fake error message to the user: WinZip Self-Extractor. WinZip_Data_Module is missing ~Error. The worm creates two files in the Windows directory with random names based on a list in the code. These files harvest emails from the infected machine and send infected messages to these addresses.

Sober.i registers these files in the system registry auto-run key and creates some additional files in the Windows directory. In order to spread further, the worm scans the local machine for email addresses and mail copies of itself to all of the addresses it finds via a direct connection to an SMTP server.

The infected emails have random subjects and body texts in English or German chosen from about a dozen variations. The attachment containing the worm can have either a .pif, .zip or .bat extension.

Kaspersky® Anti-Virus databases have been updated with protection against Sober.i and a detailed description is available in the Kaspersky Virus Encyclopedia.