The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, Fake Webpages and fake pops up & fake advertisements.
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the Windows directory, depending on the variant. It then adds appropriate keys to the Windows registry, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.
Sober is written in Visual Basic and only runs on the Microsoft Windows platform.
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the Windows directory: -
It then adds appropriate keys to the Windows registry to ensure activation on Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.
Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own SMTP engine.
Sober can deactivate several popular antivirus software packages, as well as Microsoft AntiSpyware and HijackThis.
E-mails containing the Sober X worm were sent around the Internet disguised as an e-mail from either the Federal Bureau of Investigation or the Central Intelligence Agency, both organizations of the United States government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled, as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions as spyware by stealing personal information about the infected user.