out of 10
How we rate
Aliases: CME-151; Sober.p (Computer Associates, Sophos), Sober.q (Symantec), sober.y (Panda), Sober.ac (Trend Micro).
What it does: Harvests e-mail addresses from infected machines
Means of transmission: E-mail
How to recognize: E-mail referencing password changes with a ZIP file attachment
Who is at risk: Windows users
How it works
Sober.r arrives as e-mail with a ZIP file attachment named either KlassenFoto.zip, or pword_change.zip. Buried within the ZIP is an executable file named PW_Klass.Pic.packed.bitmap.exe. Once executed, the Sober.r worm collects e-mail addresses from the infected PC and uses its own SMTP e-mail engine to send copies of itself to those addresses.
According to McAfee, Sober.r makes the following changes to the system registry:
Run " WinINet" =C:\WINDOWS\ConnectionStatus\services.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_WinINet"=C:\WINDOWS\ConnectionStatus\services.exe
The worm also adds the following files to the Windows folder:
And Sober.r adds the following files (with 0 bytes) to the System32 folder:
Do not open e-mail attachments without first saving them to your hard drive and having your antivirus app scan them. Sober.r may appear to come from someone you know, but in reality that sender address may be spoofed.
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates (as Sober.p), F-Secure, McAfee, Norman, Panda (as Sober.y), Sophos (as Sober.p), Secunia, Symantec (as Sober.q), and Trend Micro (as Sober.ac).