• Products
  • Internet Security Pack
  • Anti-Malware
  • Online Armor Firewall
  • Mamutu Behavior Blocker
  • Free Emergency Kit
  • Commandline Scanner
  • MalAware - 1 min Scanner
  • Web Malware Scanner
  • BlitzBlank
• Business
  • Internet Security Pack
  • Anti-Malware
  • Anti-Malware for Server
  • Anti-Malware Enterprise
  • Anti-Malware Update-Proxy
  • Commandline Scanner
  • Helpdesk Scanner
• Download
  • Trial- and Free-Versions
• Order
  • Internet Security Pack
  • Anti-Malware
  • Anti-Malware for Server
  • Online Armor Firewall
  • Mamutu Behavior Blocker
  • Commandline Scanner
  • Helpdesk Scanner
  • Buy from a local partner
• Support
  • Contact Us
  • FAQ - Frequent Questions
  • Support Forum
  • Customer Center
  • User Account/Newsletter
  • Lost Password?
  • Knowledgebase
  • Blog
  • Malware List
  • Malware Statistics
  • Submit Suspect File
• Partner
  • Affiliate Program
  • Reseller Program
  • Distributor Program
  • Technology Partners
  • Cross Promo Partners
  • Our Local Distributors
• About Emsisoft
  • Company Portrait
  • Press Center
  • Logos, Icons, Boxshots
  • Tests & Reviews
  • Malware Blog
  • Company Profile
  • We're hiring! Job offers

Worm.Win32.Sober.D Alert!

After the many new NetSky and MyDoom variants of the last weeks, a new variant of the Sober Worm arrived. Worm.Win32.Sober.D - so it's official name - uses the publicity of the MyDoom Worm as well as the confusion about the many new worms at the users to spread.

Sober.D masks itself as a warning email for the MyDoom Worm. In German speaking countries it sends itself in German language. In all other regions English is used.

The email subject is:

Microsoft Alarm: Bitte Lesen!
or
Microsoft Alert: Please Read!

The english email body text is:

New MyDoom Virus Variant Detected!

A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.

Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.

The email contains an attachment like all other current worms which is the worm. If you open the attachments, the Worm is activated and begins to spread itself.

If you run the worm, you will get the message:

This patch has been successfully installed.
or
This patch does not need to be installed on this system.


Sober.D can be detected and removed with a² with the latest signature updates loaded. The a² background guard blocks the worm immediately if it is started.

A more detailed description of the worm can be found at the a² Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.D

3/8/2004 - Discuss this article in the forum

	How would you rate the quality of this content?
Rating: 7.32/10 38 votes Poor ⇒    ⇐ Outstanding

Spring Offer!

Don't miss this: To your bought 1-year license of Emsisoft Anti-Malware or Emsisoft Internet Security Pack or higher you can now get a free license of the CyberGhost Anonymizer for free.
Your advantage: Surf anonymously and visit websites that are restricted in your country.

Only a few days left! Order here

Best In Test!

More independent reviews of anti-malware software