Software

Sober.j prevention and cure

This common e-mail virus is reportedly spreading rapidly, mostly in Europe

By Robert Vamosi
Senior Edition, CNET Reviews

The worm Sober.j is an e-mail virus spreading rapidly, mostly in Europe, written in both German and English, that attempts to install a backdoor Torjan horse.

Sober.j (w32.sober.j@mm.com, also known as Sober.i) arrives as an e-mail from someone you might know. The attached file is either an exe or zip-compressed file. The e-mail has various subject lines and body texts, so it's best to simply avoid opening attached files unless you are certain of its content. Sober.j does not affect users of Mac OS, Linux, or any other operating systems. Because Sober.j spreads via e-mail, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
Sober.j arrives as an e-mail with various subject lines and body texts written in either German or English. The attached file is either a pif, zip, or bat.

Once running, Sober.j creates a bogus error message:

"WinZip_Data_Module is missing ~Error: {[random number]}"

It also create files named by combining three of the following with the extension .exe:

sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

For example, Sober.j would create files like these:

datadiscspool.exe
cryptdata.exe
runsms32.exe

The names are also used in the Registry key listings, for example:

HKLM\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
HKCU\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"

According to McAfee, the worm creates the following files in the Windows system folder:

clonzips.ssc (78,090 bytes)
clsobern.isc (77,738 bytes)
cvqaikxt.apk (0 bytes)
dgssxy.yoi (0 bytes)
nonzipsr.noz (77,738 bytes)
Odin-Anon.Ger (0 bytes)
sb2run.dii (0 bytes)
sysmms32.lla (0 bytes)
winexerun.dal (1,779 bytes)
winmprot.dal (1,832 bytes)
winroot64.dal (672 bytes)
winsend32.dal (1,779 bytes)
zippedsr.piz (78,090 bytes)

Prevention
Do not open e-mail attached files unless you are absolutely certain of the contents. If you must open an attached file, save it to your hard drive first, then have your antivirus scanner process it before opening.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

Editor's Picks

Free Newsletters, In your Inbox