The Sober worm is a family of

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...

s that was discovered on October 24, 2003. Like many worms, Sober sends itself as an

e-mail attachment An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images. ...

, fake webpages, fake

pop-up ad Pop-up ads or pop-ups are forms of online advertising on the World Wide Web. A pop-up is a graphical user interface (GUI) display area, usually a small window, that suddenly appears ("pops up") in the foreground of the visual interface. The pop-u ...

s, and fake advertisements. The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the Windows directory, depending on the variant. It then adds appropriate keys to the

Windows registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and use ...

, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants. Sober is written in

Visual Basic Visual Basic is a name for a family of programming languages from Microsoft. It may refer to: * Visual Basic .NET (now simply referred to as "Visual Basic"), the current version of Visual Basic launched in 2002 which runs on .NET * Visual Basic (cl ...

and only runs on the

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

platform.

Known variants

* Sober.L * Sober.T * Sober.X * Sober.Y * Sober.Z

Aliases

* CME-681 * WORM_SOBER.AG * W32/Sober- * Win32.Sober.W * Win32.Sober.O * Sober.Y (not a variant, but another name for Sober.X, often used by

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...

) * S32/Sober@MMIM681 * W32/Sober.AA@mm

Affected platforms

family **

Windows 95 Windows 95 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of operating systems. The first operating system in the 9x family, it is the successor to Windows 3.1x, and was released to manufacturin ...

Windows 98 Windows 98 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of Microsoft Windows operating systems. The second operating system in the 9x line, it is the successor to Windows 95, and was released to ...

Windows NT Windows NT is a proprietary graphical operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems sc ...

Windows Me Windows Millennium Edition, or Windows Me (marketed with the pronunciation of the pronoun "me"), is an operating system developed by Microsoft as part of its Windows 9x family of Microsoft Windows operating systems. It is the successor to Windo ...

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...

Windows Server 2003 Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...

Actions

Infection

The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the Windows directory: - *antiv.exe *csrss.exe *driver.exe *driverini.exe *drv.exe *explorer.exe *filexe.exe *hlp16.exe *lssas.exe *qname.exe *services.exe *smss.exe *spoole.exe *swchost.exe *syshost.exe *systemchk.exe *systemini.exe *winchk.exe *winlog32.exe *winreg.exe It then adds appropriate keys to the

to ensure activation on Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.

Spread

Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...

engine.

Deactivation of security software

Sober can deactivate several popular

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

packages, as well as Microsoft AntiSpyware and

HijackThis HijackThis (also HiJackThis or HJT) is a free and open-source tool to detect malware and adware on Microsoft Windows. It was originally created by Merijn Bellekom, and later sold to Trend Micro. The program is notable for quickly scanning a user's ...

Outbreaks

# October 24, 2003 – First discovery # March 3, 2005 – Sober.L # November 14, 2005 – Sober.T # November 15, 2005 – Sober.X

21 November 2005 outbreak

E-mails containing the Sober X worm were sent around the Internet disguised as an e-mail from either the

Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, ...

or the

Central Intelligence Agency The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian foreign intelligence service of the federal government of the United States, officially tasked with gathering, processing, ...

, both organizations of the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...

government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled, as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions as

spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...

by stealing personal information about the infected user. MessageLabs, a computer security company, caught at least three million copies within 24 hours after the breakout, and

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...

, another system security research firm, reported over 70,000 cases of the virus on consumer computers. A similar e-mail circulated in Germany. Claiming to be sent by the Bundeskriminalamt, the e-mail told its readers that they were caught downloading "

pirated Copyright infringement (at times referred to as piracy) is the use of works protected by copyright without permission for a usage where such permission is required, thereby infringing certain exclusive rights granted to the copyright holder, s ...

" software. Sober.X was included in an attachment.

Political motivations

In May 2005, the

variant Variant may refer to: In arts and entertainment * ''Variant'' (magazine), a former British cultural magazine * Variant cover, an issue of comic books with varying cover art * ''Variant'' (novel), a novel by Robison Wells * " The Variant", 2021 e ...

Sober.Q appeared. Whereas previous variants appeared to be motivated by commercial gain or by malicious intent, this was the first to seem politically motivated. Other variants (such as Sober.B) sent e-mails with subject headers also indicated political intent, but these seemed to be designed to arouse the victim's interest, so that he or she would open the e-mail's attachment. Sober.Q does not send e-mails with attachments, instead preferring links to web sites with no viruses. Sober.Q spread on computers to send messages of support for

far-right Far-right politics, also referred to as the extreme right or right-wing extremism, are political beliefs and actions further to the right of the left–right political spectrum than the standard political right, particularly in terms of being ...

groups in

Germany Germany,, officially the Federal Republic of Germany, is a country in Central Europe. It is the second most populous country in Europe after Russia, and the most populous member state of the European Union. Germany is situated betwe ...

pending the local elections in the state of

North Rhine-Westphalia North Rhine-Westphalia (german: Nordrhein-Westfalen, ; li, Noordrien-Wesfale ; nds, Noordrhien-Westfalen; ksh, Noodrhing-Wäßßfaale), commonly shortened to NRW (), is a States of Germany, state (''Land'') in Western Germany. With more tha ...

. Most appeared to be in support of, or directly from the German political party NPD (Nationalist Party of Germany) with links to their website, as well as other forum entries. It is, however, unknown whether this virus originated from the NPD themselves, supporters of the party, a hacker group trying to place the blame on the party or a group attempting to discredit the party. Similar to the above incident, the Sober virus was used again in 2005 by an unidentified German group to send out a widespread distribution of links to various political articles and commentaries. The effort seemed to be linked to German elections around the same time period.Spam with everything in Germany's election
by Alan Connor, opendemocracy.net article, 23 May 2005.

References

External links

* "

Internet virus circulates disguised as e-mail from US government The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

." Wikinews, November 26, 2005.
BBC news article
{{Hacking in the 2000s Computer worms Email worms Hacking in the 2000s