Infections of W32/Sober.A@mm increase steadily
W32/Sober.A@mm is a bilingual mass mailing worm the infection rate of which has been increasing steadily in the past few days and weeks. Sober.A spreads between Windows systems via e-mail. These e-mails pose as security warnings against a possible new mass mailing worm and carry attachments that are said to be patches against this threat. The attachments, however, are infected with W32/Sober.A@mm.
Once this attachment has been executed Sober.A infects the computer and harvests more e-mail addresses from the infected computer's hard drive. The worm subsequently sends itself to these addresses using its own SMTP engine.
W32/Sober.A arrives in e-mails with subject lines and content either in English or in German. If the Internet domain of the recipient is .de, .at, .ch, or .li, then the message is created in German, otherwise in English.
The e-mail's subject line is then randomly chosen from one of the following:
In German:
Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Re: Kontakt
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr geh
Viurs blockiert jeden PC (Vorsicht!)
berraschung
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Ich Liebe Dich
In English:
Congratulations!! Your Sobig Worms are very good!!!
Back At The Funny Farm
You are a very good programmer!
Yours faithfully
Odin alias Anon
Odin_Worm.exe
RE: Sex
Re: lol
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Re: Contact
Sorry, I've become your mail
Hey man, long not see you
Viurs blocked every PC (Take care!)
Surprise
I've become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
I love you (I'm not a virus!)
I permanently get Spam-Mails from you and inside is a virus!!
You should remove these thing.
Attachment names are randomly generated from the following list:
AntiVirusDoc.pif
Check-Patch.bat
Screen_Doku.scr
Removal-Tool.exe
Perversionen.scr
CM-Recover.com
Bild.scr
schnitzel.exe
robot_mail.scr
RobotMailer.com
Privat.exe
AntiTrojan.exe
Mausi.scr
NackiDei.com
Anti-Sob.bat
security.pif
Funny.scr
Liebe.com
Odin_Worm.exe
check-patch.bat
anti_virusdoc.pif
perversion.scr
removal-tool.exe
screen_doc.scr
potency.pif
CM-Recover.com
pic.scr
playme.exe
robot_mailer.pif
private.exe
anti-trojan.exe
love.com
nacked.com
anti-Sob.bat
NAV.pif
funny.scr
little-scr.scr
Recommended Reactions
Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
For more information on this worm and disinfection please visit our virus information section.
Threat Detection
The latest versions of F-Prot Antivirus detects W32/Sober.A@mm using virus signature files dated 28 October 2003 or later.