Software

Sober.r prevention and cure

Sober.r is a classic mass-mailing e-mail worm that spreads itself to addresses harvested from infected PCs, and it may slow down e-mail services during the height of this infection.

By Robert Vamosi

5
out of 10
VIRUS RATING
How we rate
QUICK FACTS
Name: Sober.r (w32.sober.r@mm)

Aliases: CME-151; Sober.p (Computer Associates, Sophos), Sober.q (Symantec), sober.y (Panda), Sober.ac (Trend Micro).

What it does: Harvests e-mail addresses from infected machines

Means of transmission: E-mail

How to recognize: E-mail referencing password changes with a ZIP file attachment

Who is at risk: Windows users

Sober.r is a classic mass-mailing e-mail worm that spreads itself to addresses harvested from infected PCs, and it may slow down e-mail services during the height of this infection. Sober.r (w32.sober.r@mm) arrives as e-mail in either English or German with a subject and body text referencing password changes. Users of Mac OS, Linux, and Unix are not affected but could become carriers by forwarding the infected e-mail to Windows users. Because Sober.r spreads via e-mail, does not open remote access to your PC, and may not damage system files, this worm rates a 5 on the CNET/ZDNet Virus Meter.

How it works
Sober.r arrives as e-mail with a ZIP file attachment named either KlassenFoto.zip, or pword_change.zip. Buried within the ZIP is an executable file named PW_Klass.Pic.packed.bitmap.exe. Once executed, the Sober.r worm collects e-mail addresses from the infected PC and uses its own SMTP e-mail engine to send copies of itself to those addresses.

According to McAfee, Sober.r makes the following changes to the system registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " WinINet" =C:\WINDOWS\ConnectionStatus\services.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_WinINet"=C:\WINDOWS\ConnectionStatus\services.exe

The worm also adds the following files to the Windows folder:

c:\WINDOWS\ConnectionStatus\netslot.nst

c:\WINDOWS\ConnectionStatus\services.exe

c:\WINDOWS\ConnectionStatus\socket.dli

And Sober.r adds the following files (with 0 bytes) to the System32 folder:

c:\WINDOWS\system32\bbvmwxxf.hml

c:\WINDOWS\system32\gdfjgthv.cvq

c:\WINDOWS\system32\langeinf.lin

c:\WINDOWS\system32\nonrunso.ber

c:\WINDOWS\system32\rubezahl.rub

c:\WINDOWS\system32\seppelmx.smx

Prevention
Do not open e-mail attachments without first saving them to your hard drive and having your antivirus app scan them. Sober.r may appear to come from someone you know, but in reality that sender address may be spoofed.

Removal
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates (as Sober.p), F-Secure, McAfee, Norman, Panda (as Sober.y), Sophos (as Sober.p), Secunia, Symantec (as Sober.q), and Trend Micro (as Sober.ac).

Editor's Picks

Free Newsletters, In your Inbox