Aliases: I-Worm.Sober.a, W32/Sober.a@MM, Win32.HLLM.Odin, W32/Sober-A, Win32/Sober.A@mm,
Variants: WORM_SOBER.A, Worm/Sober, W32/Sober.A@mm, Win32:Sober, I-Worm/Sober.A,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 24 Oct 2003
Damage: Low

Characteristics: The W32.Sober@mm program is a mass mailing worm that utilizes its SMTP engine to multiply itself. The subject of the email differs and it would either be in German or English.

More details about W32.Sober@mm

The W32.Sober@mm program was discovered on October 24, 2003. It is a mass mailing worm that utilizes its SMTP engine to spread itself to other users. Thus, the contaminated user wouldn’t find duplicates of the email in the “Sent Items” folder in their email account. The worm could send its email in either English or German language. The W32.Sober@mm worm attaches its message making use of a variety of possible message bodies, subject lines, and attachment names. Attachment names can be one of the following: Anti-Sob.bat, anti_virusdoc.pif, anti-trojan.exe, AntiTrojan.exe, Bild.scr, AntiVirusDoc.pif, Check-Patch.bat, CM-Recover.com, check-patch.bat, Funny.scr, Liebe.com, Hengst.pif, love.com, little-scr.scr, Mausi.scr, NackiDei.com, nacked.com, NAV.pif, perversion.scr, Odin_Worm.exe, Perversionen.scr, playme.exe, pic.scr, Removal-Tool.exe, potency.pif, Privat.exe, robot_mail.scr, removal-tool.exe, robot_mailer.pif, schnitzel.exe, RobotMailer.com, Screen_Doku.scr, screen_doc.scr, or security.pif

When the W32.Sober@mm opens, it may show this fake error message “ERROR! FILE NOT COMPLETE!” the worm duplicates itself as “%System%\Similare.exe”. W32.Sober@mm makes a few duplicates of itself to the directory of the “%System%” making use of variable file names, which maybe one of the following: antiv.exe, driver.exe, driverini.exe, drv.exe, expoler.exe, filexe.exe, hlp16.exe, lssas.exe, qname.exe, spoole.exe, swchost.exe, syshost.exe, systemchk.exe, systemini.exe, winchk.exe, winlog32.exe, and winreg.exe. Take note that the worm may add some trash data to the end of its duplicate.