Sober (computer worm)
Encyclopedia
The Sober worm is a family of computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...

s that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment
E-mail attachment
An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images...

.

The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the Windows directory, depending on the variant. It then adds appropriate keys to the Windows registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...

, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.

Sober is written in Visual Basic
Visual Basic
Visual Basic is the third-generation event-driven programming language and integrated development environment from Microsoft for its COM programming model...

 and only runs on the Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

 platform.

Aliases

  • CME-681
  • WORM_SOBER.AG
  • W32/Sober-{X-Z}
  • Win32.Sober.W
  • Win32.Sober.O
  • Sober.Y (not a variant, but another name for Sober.X, often used by F-Secure
    F-Secure
    F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...

    )
  • S32/Sober@MMIM681
  • W32/Sober.AA@mm

Affected platforms

  • Microsoft Windows
    Microsoft Windows
    Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

     family
    • Windows 95
      Windows 95
      Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...

    • Windows 98
      Windows 98
      Windows 98 is a graphical operating system by Microsoft. It is the second major release in the Windows 9x line of operating systems. It was released to manufacturing on 15 May 1998 and to retail on 25 June 1998. Windows 98 is the successor to Windows 95. Like its predecessor, it is a hybrid...

    • Windows NT
      Windows NT
      Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...

    • Windows Me
      Windows Me
      Windows Millennium Edition, or Windows Me , is a graphical operating system released on September 14, 2000 by Microsoft, and was the last operating system released in the Windows 9x series. Support for Windows Me ended on July 11, 2006....

    • Windows 2000
      Windows 2000
      Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...

    • Windows XP
      Windows XP
      Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...

    • Windows Server 2003
      Windows Server 2003
      Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...


Infection

The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the Windows directory: -
  • antiv.exe
  • csrss.exe
  • driver.exe
  • driverini.exe
  • drv.exe
  • explorer.exe
  • filexe.exe
  • hlp16.exe
  • lssas.exe
  • qname.exe
  • services.exe
  • smss.exe
  • spoole.exe
  • swchost.exe
  • syshost.exe
  • systemchk.exe
  • systemini.exe
  • winchk.exe
  • winlog32.exe
  • winreg.exe

It then adds appropriate keys to the Windows registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...

 to ensure activation on Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.

Spread

Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own SMTP engine.

Deactivation of security software

Sober can deactivate several popular antivirus software packages, as well as Microsoft AntiSpyware
Windows Defender
Windows Defender, formerly known as Microsoft AntiSpyware, is a software product from Microsoft to prevent, remove, and quarantine spyware in Microsoft Windows...

 and HijackThis
HijackThis
HijackThis is a freeware enumerating tool for Microsoft Windows originally created by Merijn Bellekom, and later sold to Trend Micro. The program is notable for targeting browser-hijacking methods, rather than relying on a database of known spyware. It scans a user's computer quickly, and displays...

.

Outbreaks

  1. October 24, 2003 – First discovery
  2. March 3, 2005 – Sober.L
  3. November 14, 2005 – Sober.T
  4. November 15, 2005 – Sober.X

21 November 2005 outbreak

E-mails containing the Sober X worm were sent around the Internet disguised as an e-mail from either the Federal Bureau of Investigation
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...

 or the Central Intelligence Agency
Central Intelligence Agency
The Central Intelligence Agency is a civilian intelligence agency of the United States government. It is an executive agency and reports directly to the Director of National Intelligence, responsible for providing national security intelligence assessment to senior United States policymakers...

, both organizations of the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

 government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled, as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions as spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...

 by stealing personal information about the infected user.

MessageLabs
MessageLabs
Symantec.cloud, is a major provider of integrated messaging and web security services , with over 19,000 clients ranging from small business to the Fortune 500 located in more than 86 countries and the United Kingdom Parliament...

, a computer security company, caught at least three million copies within 24 hours after the breakout, and McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...

, another system security research firm, reported over 70,000 cases of the virus on consumer computers.

A similar e-mail circulated in Germany. Claiming to be sent by the Bundeskriminalamt, the e-mail told its readers that they were caught downloading pirated
Copyright infringement of software
Copyright infringement of software=The copyright infringement of software refers to several practices which involve the unauthorized copying of computer software. Copyright infringement of this kind varies globally...

 software. Sober.X was included in an attachment.

Political motivations

In May 2005, the variant Sober.Q appeared. Whereas previous variants appeared to be motivated by commercial gain or by malicious intent, this was the first to seem politically motivated.

Other variants (such as Sober.B) sent e-mails with subject headers also indicated political intent, but these seemed to be designed to arouse the victim's interest, so that he or she would open the e-mail's attachment. Sober.Q does not send e-mails with attachments, instead preferring links to web sites with no viruses.

Sober.Q spread on computers to send messages of support for far-right groups in Germany
Germany
Germany , officially the Federal Republic of Germany , is a federal parliamentary republic in Europe. The country consists of 16 states while the capital and largest city is Berlin. Germany covers an area of 357,021 km2 and has a largely temperate seasonal climate...

 pending the local elections in the state of North Rhine-Westphalia
North Rhine-Westphalia
North Rhine-Westphalia is the most populous state of Germany, with four of the country's ten largest cities. The state was formed in 1946 as a merger of the northern Rhineland and Westphalia, both formerly part of Prussia. Its capital is Düsseldorf. The state is currently run by a coalition of the...

. Most appeared to be in support of, or directly from the German political party NPD (Nationalist Party of Germany) with links to their website, as well as other forum entries. It is, however, unknown whether this virus originated from the NPD themselves, supporters of the party, a hacker group trying to place the blame on the party or a group attempting to discredit the party.

Similar to the above incident, the Sober virus was used again in 2005 by an unidentified German group to send out a widespread distribution of links to various political articles and commentaries. The effort seemed to be linked to German elections around the same time period.

External links

  • "Internet virus circulates disguised as e-mail from US government." Wikinews, November 26, 2005.
  • BBC news article
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK