Worm.Win32.Sober.E Alert!

Worm.Win32.Sober.E is the 5th variant of the highly spread Sober worm and was first seen by our analysts on 03/28/2004 at 2:30pm CET.  Like its predecessors its origin could be found in one of the german speaking countries. The worm is coded in Visual Basic 6 and is packed using UPX. The file size of the packed worm file is 30,720 bytes.

Infection
Worm.Win32.Sober.E comes via email to your PC. Worm mails have the following layout while always one of the subject, mail body and attachment options is chosen to generate the mail:

Subject:
HEY
hey?
Hey!
OK Ok OK!
OK OK
Ok ;-)
Hi :-)
hi
Hi
thx
Thx!
THX
Thx !!!

Mail body:
;-)
ha!
HA :-)
yo!
lol
LoL
LOL
Yo!

Attachment name:
Text.zip
Text.pif
Read.zip
Read.pif
Graphic-doc.zip
Graphic-doc.pif
document.zip
document.pif
Word.zip
Word.pif

Sober.E can be detected and removed with a² with the latest signature updates loaded. The a² background guard blocks the worm immediately if it is started.

A more detailed description of the worm can be found at the a² Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.E

3/28/2004 - Discuss this article in the forum


How would you rate the quality of this content?
    Rating: 8.43/10
61 votes
Poor ⇒    ⇐ Outstanding

Spring Offer!

Don't miss this: To your bought 1-year license of Emsisoft Anti-Malware or Emsisoft Internet Security Pack or higher you can now get a free license of the CyberGhost Anonymizer for free.
Your advantage: Surf anonymously and visit websites that are restricted in your country.

Only a few days left! Order here

Best In Test!