[email protected]


Aliases: I-Worm.Sober.a, W32/[email protected], Win32.HLLM.Odin, W32/Sober-A, Win32/[email protected],
Variants: WORM_SOBER.A, Worm/Sober, W32/[email protected], Win32:Sober, I-Worm/Sober.A,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 24 Oct 2003
Damage: Low

Characteristics: The [email protected] program is a mass mailing worm that utilizes its SMTP engine to multiply itself. The subject of the email differs and it would either be in German or English.

More details about [email protected]

The [email protected] program was discovered on October 24, 2003. It is a mass mailing worm that utilizes its SMTP engine to spread itself to other users. Thus, the contaminated user wouldn’t find duplicates of the email in the “Sent Items” folder in their email account. The worm could send its email in either English or German language. The [email protected] worm attaches its message making use of a variety of possible message bodies, subject lines, and attachment names. Attachment names can be one of the following: Anti-Sob.bat, anti_virusdoc.pif, anti-trojan.exe, AntiTrojan.exe, Bild.scr, AntiVirusDoc.pif, Check-Patch.bat, CM-Recover.com, check-patch.bat, Funny.scr, Liebe.com, Hengst.pif, love.com, little-scr.scr, Mausi.scr, NackiDei.com, nacked.com, NAV.pif, perversion.scr, Odin_Worm.exe, Perversionen.scr, playme.exe, pic.scr, Removal-Tool.exe, potency.pif, Privat.exe, robot_mail.scr, removal-tool.exe, robot_mailer.pif, schnitzel.exe, RobotMailer.com, Screen_Doku.scr, screen_doc.scr, or security.pif

When the [email protected] opens, it may show this fake error message “ERROR! FILE NOT COMPLETE!” the worm duplicates itself as “%System%\Similare.exe”. [email protected] makes a few duplicates of itself to the directory of the “%System%” making use of variable file names, which maybe one of the following: antiv.exe, driver.exe, driverini.exe, drv.exe, expoler.exe, filexe.exe, hlp16.exe, lssas.exe, qname.exe, spoole.exe, swchost.exe, syshost.exe, systemchk.exe, systemini.exe, winchk.exe, winlog32.exe, and winreg.exe. Take note that the worm may add some trash data to the end of its duplicate.