Rob Vamosi's
award-winning
column on Internet threats and how to counter them
Delivered Mondays

CNET Security Center: Your complete source of antivirus and Internet security information.

Sober.p prevention and cure
Virus uses both English and German text to lure victims.
By Robert Vamosi (May 2, 2005)

QUICK FACTS

Name: Sober.p (w32.sober.p@mm)

What it does: Sends e-mail in either German or English

Means of transmission: E-mail

How to recognize: German version involves World Cup events; English version mentions password information

Who is at risk: Windows users

4
out of 10

VIRUS RATING
How we rate

Bilingual viruses are not new, nor is the Sober family of viruses. But someone has once again put the two concepts together and created the sixteenth variation of Sober, Sober.p--W32.sober.p@mm, also known as sober.n (Sophos), sober.o (Symantec), and sober.s (Trend Micro). German-language speakers will see e-mail advertising World Cup soccer tickets, while English-language speakers will see messages informing them that their e-mail could not be delivered (among other variations). Sober.p travels via e-mail and uses ZIP file attachments to hide an infected PIF file within. Users of Linux, the Mac OS, and Unix are not affected by this outbreak. Because Sober.d spreads via e-mail and does no other damage, this virus rates a 4 on the CNET/ZDNet Virus Meter.

How it works
Sober.p arrives in an e-mail message. The sender address is spoofed, and the body text, either in German or in English, varies. The attachment file usually ends in .zip:

account_info.zip
autoemail-text.zip
LOL.zip
Fifa_Info-Text.zip
mail_info.zip
okTicket-info.zip
our_secret.zip
PassWort-Info.zip

Within the ZIP file is a file named winzipped-text_data.txt [several blank spaces].pif

According to security vendor Trend Micro, once executed, Sober.p creates the following files in the %Windows%\Connection Wizard\Status folder:

csrss.exe
services.exe
smss.exe

It also creates the following versions of itself:

packed1.sbr
packed2.sbr
packed3.sbr

And adds the following files, which contain email-related data:

sacri1.ggg
sacri2.ggg
sacri3.ggg
voner1.von
voner2.von
voner3.von

Sober also creates the following files in the following directories:

%Windows%\Connection Wizard\Status\fastso.ber
%System%\adcmmmmq.hjg
%System%\langeinf.lin
%System%\nonrunso.ber
%System%\seppelmx.smx
%System%\xcvfpokd.tqa

In order for the virus to run every time the infected machine is rebooted, the virus adds the following to the system Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see F-Secure, McAfee, Sophos (as Sober.n), Symantec (as Sober.o), and Trend Micro (as Sober.s).

Check out what's new
Introducing the all-new CNET!
Send feedback

- home
- reviews
- news
- downloads
- cnet tv
On the Insider: McCain compares Obama to Britney
- log in
- join CNET
- welcome,
- my profile
- log out

Reviews & advice: All product reviews; Editorial policies; Meet the editors; How we test; Tips & tricks

Popular topics: Apple iPhone; Apple iPod; Dell; PlayStation 3; Wii; Windows Vista

CNET sites: CNET TV; Downloads; Forums; News; Reviews; Site map

More information: Newsletters; Corrections; Customer Help Center; RSS; What's new; About CNET

Privacy policy
Terms of use
Visit other CBS Interactive sites:

#networkSites {display:none;}BNET | CHOW | CNET.com | CNET Channel | GameSpot | International Media | mySimon | Search.com | TechRepublic | TV.com | ZDNet