Bilingual viruses are not new, nor is the Sober family of viruses. But someone has once again put the two concepts together and created the sixteenth variation of Sober, Sober.p—W32.sober.p@mm, also known as sober.n (Sophos), sober.o (Symantec), and sober.s (Trend Micro). German-language speakers will see e-mail advertising World Cup soccer tickets, while English-language speakers will see messages informing them that their e-mail could not be delivered (among other variations). Sober.p travels via e-mail and uses ZIP file attachments to hide an infected PIF file within. Users of Linux, the Mac OS, and Unix are not affected by this outbreak. Because Sober.d spreads via e-mail and does no other damage, this virus rates a 4 on the CNET/ZDNet Virus Meter.
How it works
Sober.p arrives in an e-mail message. The sender address is spoofed, and the body text, either in German or in English, varies. The attachment file usually ends in .zip:
Within the ZIP file is a file named winzipped-text_data.txt [several blank spaces].pif
According to security vendor Trend Micro, once executed, Sober.p creates the following files in the %Windows%\Connection Wizard\Status folder:
It also creates the following versions of itself:
And adds the following files, which contain email-related data:
Sober also creates the following files in the following directories:
In order for the virus to run every time the infected machine is rebooted, the virus adds the following to the system Registry:
Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see F-Secure, McAfee, Sophos (as Sober.n), Symantec (as Sober.o), and Trend Micro (as Sober.s).