Bilingual viruses are not new, nor is the Sober family of viruses. But someone has once again put the two concepts together and created the sixteenth variation of Sober, Sober.p—W32.sober.p@mm, also known as sober.n (Sophos), sober.o (Symantec), and sober.s (Trend Micro). German-language speakers will see e-mail advertising World Cup soccer tickets, while English-language speakers will see messages informing them that their e-mail could not be delivered (among other variations). Sober.p travels via e-mail and uses ZIP file attachments to hide an infected PIF file within. Users of Linux, the Mac OS, and Unix are not affected by this outbreak. Because Sober.d spreads via e-mail and does no other damage, this virus rates a 4 on the CNET/ZDNet Virus Meter.
How it works
Sober.p arrives in an e-mail message. The sender address is spoofed, and the body text, either in German or in English, varies. The attachment file usually ends in .zip:
account_info.zip
autoemail-text.zip
LOL.zip
Fifa_Info-Text.zip
mail_info.zip
okTicket-info.zip
our_secret.zip
PassWort-Info.zip
Within the ZIP file is a file named winzipped-text_data.txt [several blank spaces].pif
According to security vendor Trend Micro, once executed, Sober.p creates the following files in the %Windows%\Connection Wizard\Status folder:
csrss.exe
services.exe
smss.exe
It also creates the following versions of itself:
packed1.sbr
packed2.sbr
packed3.sbr
And adds the following files, which contain email-related data:
sacri1.ggg
sacri2.ggg
sacri3.ggg
voner1.von
voner2.von
voner3.von
Sober also creates the following files in the following directories:
%Windows%\Connection Wizard\Status\fastso.ber
%System%\adcmmmmq.hjg
%System%\langeinf.lin
%System%\nonrunso.ber
%System%\seppelmx.smx
%System%\xcvfpokd.tqa
In order for the virus to run every time the infected machine is rebooted, the virus adds the following to the system Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see F-Secure, McAfee, Sophos (as Sober.n), Symantec (as Sober.o), and Trend Micro (as Sober.s).
