How it works
Sober.j arrives as an e-mail with various subject lines and body texts written in either German or English. The attached file is either a pif, zip, or bat.

Once running, Sober.j creates a bogus error message:

"WinZip_Data_Module is missing ~Error: {[random number]}"

It also create files named by combining three of the following with the extension .exe:

sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32

For example, Sober.j would create files like these:

datadiscspool.exe
cryptdata.exe
runsms32.exe

The names are also used in the Registry key listings, for example:

HKLM\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
HKCU\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"

According to McAfee, the worm creates the following files in the Windows system folder:

clonzips.ssc (78,090 bytes)
clsobern.isc (77,738 bytes)
cvqaikxt.apk (0 bytes)
dgssxy.yoi (0 bytes)
nonzipsr.noz (77,738 bytes)
Odin-Anon.Ger (0 bytes)
sb2run.dii (0 bytes)
sysmms32.lla (0 bytes)
winexerun.dal (1,779 bytes)
winmprot.dal (1,832 bytes)
winroot64.dal (672 bytes)
winsend32.dal (1,779 bytes)
zippedsr.piz (78,090 bytes)

Prevention
Do not open e-mail attached files unless you are absolutely certain of the contents. If you must open an attached file, save it to your hard drive first, then have your antivirus scanner process it before opening.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.