News Stay informed about the latest enterprise technology news and product updates.

Some 'Sober' on new worm variant

The latest incarnation appears to have legs and a high threat rating from some AV vendors.

A new Sober worm variant is getting traction this morning and is ranked as a high-level threat by some AV vend...


"A new worm -- W32/Sober-I -- has appeared and it is already a high threat," said Patrick Hinojosa, CTO, Panda Software USA, based in Glendale, Calif. "This is spreading fast, particularly in Europe. It causes serious damage to the registry and it creates its own SMTP engine to resend itself to your address book."

Panda, F-Secure Corp., Trend Micro Inc. and Symantec Corp. are calling the new variant Sober-I, McAfee Inc. calls it Sober-J and Norman Antivirus labels it Sober-H.

According to Panda, "It does not have destructive effects. It spreads via e-mail in a message with variable characteristics." Users of Windows 95, 98, ME, NT, XP, 2000 and 2003 are vulnerable, but will not become infected if they don't run the attached file.

Hinojosa added that the worm is somewhat intelligent. "It goes through the victim's address book and any other source of e-mail addresses and will customize the language it uses by the country of the recipient. Right now we've only seen English and German, but there could be others."

Norman said it has a variable subject line and body text; the attachment is also variable, but is an executable file using .scr, .com, .bat, .pif or .zip extension.

According to Norman's site: "When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows System directory; most notably two worm files -- these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup." Other files created are:

  • clonzips.ssc
  • clsobern.isc
  • cvqaikxt.apk
  • dgssxy.yoi
  • nonzipsr.noz
  • Odin-Anon.Ger
  • sb2run.dii
  • sysmms32.lla
  • winexerun.dal
  • winmprot.dal
  • winroot64.dal
  • winsend32.dal
  • zippedsr.piz

To mitigate the worm, block .scr, .com, .bat, .pif or .zip extensions at the gateway and update antivirus signatures.

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.