CNET Security Center: Your complete source of antivirus and Internet security information.

Sober.x prevention and cure
A classic e-mail virus takes the world by storm.
By Robert Vamosi (November 29, 2005)

QUICK FACTS

Name: Sober.x (w32.sober.x@mm, alias CME-681, Sober.w (Computer Associates), Sober.y (F-Secure), Sober.ag (Trend Micro), Sober.ah (Panda)

What it does: Collects e-mail addresses for spammers

Means of transmission: E-mail

How to recognize: This e-mail virus arrives disguised as a message from the FBI, the CIA, or some other government agency, or as a message regarding a change in address, registration request, or password.

Who is at risk: Windows users

5
out of 10

VIRUS RATING
How we rate

Sober.x (w32.sober.x@mm, alias CME-681, Sober.w (Computer Associates), Sober.y (F-Secure), Sober.ag (Trend Micro), Sober.ah (Panda) ) is the latest in a series of Sober viruses designed primarily to collect e-mail addresses for later use by spammers. The main consequence of this virus may be congested e-mail servers. Sober.x affects only Windows PCs; Mac OS, Linux, and Unix users are not affected. Because this Sober variant spreads via e-mail and may create remote access to an infected computer, it rates a 5 on the CNET/ZDNet Virus Meter.

How it works
This e-mail virus arrives disguised as a message from the FBI, the CIA, or some other government agency, or as a message regarding a change in address, registration request, or password. Known attachments include the following:

reg_pass-data.zip
reg_pass.zip
question_list.zip
mailtext.zip
mail_body.zip
mail.zip
list.zip
email_text.zip

Acording to McAfee, Sober.x creates a WinSecurity folder within the Windows folder and populates this new folder with the following files:

csrss.exe -- a copy of the worm
services.exe - a copy of the worm
smss.exe - a copy of the worm
mssock1.dli ? e-mail address information
mssock2.dli ? e-mail address information
mssock3.dli ? e-mail address information
socket1.ifo -- MIME encoded archive containing the worm
socket2.ifo -- MIME encoded archive containing the worm
socket3.ifo -- MIME encoded archive containing the worm
starter.run -- Zero byte file
winmem1.ory -- Harvested e-mail addresses
winmem2.ory -- Harvested e-mail addresses
winmem3.ory -- Harvested e-mail addresses

Sober.x also adds the following zero byte files to the Windows Systems folder:

bbvmwxxf.hml
filesms.fms
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst

Prevention
Beware of e-mail attachments, especially those attached to the messages above. Do not open the attached files.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates (as Sober.w), F-Secure (as Sober.y), McAfee, Panda (as Sober.ah), Sophos, Symantec, and Trend Micro.

Reviews & advice: Site map; Editorial policies; Meet the editors; How we test; Forums; Internet speed test

Popular topics: Apple iPhone; Apple iPod; Cell phones; Dell; GPS; LCD TV

CNET sites: CNET Site map; CNET TV; Downloads; News; Reviews; Shopper.com

More information: Newsletters; CNET Mobile; Customer Help Center; RSS; CNET Widgets; About CNET

Privacy policy
Terms of use
Visit other CBS Interactive sites:

#networkSites {display:none;}BNET | CHOW | CNET.com | CNET Channel | GameSpot | International Media | mySimon | Search.com | TechRepublic | TV.com | ZDNet