I-Worm.Sober.a, W32/[email protected]
, Win32.HLLM.Odin, W32/Sober-A, Win32/[email protected]
WORM_SOBER.A, Worm/Sober, W32/[email protected]
, Win32:Sober, I-Worm/Sober.A,
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
24 Oct 2003
The [email protected]
program is a mass mailing worm that utilizes its SMTP engine to multiply itself. The subject of the email differs and it would either be in German or English.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
program was discovered on October 24, 2003. It is a mass mailing worm that utilizes its SMTP engine to spread itself to other users. Thus, the contaminated user wouldn’t find duplicates of the email in the “Sent Items” folder in their email account. The worm could send its email in either English or German language. The [email protected]
worm attaches its message making use of a variety of possible message bodies, subject lines, and attachment names. Attachment names can be one of the following: Anti-Sob.bat, anti_virusdoc.pif, anti-trojan.exe, AntiTrojan.exe, Bild.scr, AntiVirusDoc.pif, Check-Patch.bat, CM-Recover.com, check-patch.bat, Funny.scr, Liebe.com, Hengst.pif, love.com, little-scr.scr, Mausi.scr, NackiDei.com, nacked.com, NAV.pif, perversion.scr, Odin_Worm.exe, Perversionen.scr, playme.exe, pic.scr, Removal-Tool.exe, potency.pif, Privat.exe, robot_mail.scr, removal-tool.exe, robot_mailer.pif, schnitzel.exe, RobotMailer.com, Screen_Doku.scr, screen_doc.scr, or security.pif
When the [email protected]
opens, it may show this fake error message “ERROR! FILE NOT COMPLETE!” the worm duplicates itself as “%System%\Similare.exe”. [email protected]
makes a few duplicates of itself to the directory of the “%System%” making use of variable file names, which maybe one of the following: antiv.exe, driver.exe, driverini.exe, drv.exe, expoler.exe, filexe.exe, hlp16.exe, lssas.exe, qname.exe, spoole.exe, swchost.exe, syshost.exe, systemchk.exe, systemini.exe, winchk.exe, winlog32.exe, and winreg.exe. Take note that the worm may add some trash data to the end of its duplicate.