Sober.p prevention and cure

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Robert Vamosi

Bilingual viruses are not new, nor is the Sober family of viruses. But someone has once again put the two concepts together and created the sixteenth variation of Sober, Sober.p--W32.sober.p@mm, also known as sober.n (Sophos), sober.o (Symantec), and sober.s (Trend Micro). German-language speakers will see e-mail advertising World Cup soccer tickets, while English-language speakers will see messages informing them that their e-mail could not be delivered (among other variations). Sober.p travels via e-mail and uses ZIP file attachments to hide an infected PIF file within. Users of Linux, the Mac OS, and Unix are not affected by this outbreak. Because Sober.d spreads via e-mail and does no other damage, this virus rates a 4 on the CNET/ZDNet Virus Meter.

How it works
Sober.p arrives in an e-mail message. The sender address is spoofed, and the body text, either in German or in English, varies. The attachment file usually ends in .zip:

account_info.zip
autoemail-text.zip
LOL.zip
Fifa_Info-Text.zip
mail_info.zip
okTicket-info.zip
our_secret.zip
PassWort-Info.zip

Within the ZIP file is a file named winzipped-text_data.txt [several blank spaces].pif

According to security vendor Trend Micro, once executed, Sober.p creates the following files in the %Windows%\Connection Wizard\Status folder:

csrss.exe
services.exe
smss.exe

It also creates the following versions of itself:

packed1.sbr
packed2.sbr
packed3.sbr

And adds the following files, which contain email-related data:

sacri1.ggg
sacri2.ggg
sacri3.ggg
voner1.von
voner2.von
voner3.von

Sober also creates the following files in the following directories:

%Windows%\Connection Wizard\Status\fastso.ber
%System%\adcmmmmq.hjg
%System%\langeinf.lin
%System%\nonrunso.ber
%System%\seppelmx.smx
%System%\xcvfpokd.tqa

In order for the virus to run every time the infected machine is rebooted, the virus adds the following to the system Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see F-Secure, McAfee, Sophos (as Sober.n), Symantec (as Sober.o), and Trend Micro (as Sober.s).