Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software

Sober.P worm threatens

By Mary Landesman, About.com

May 11 2005
Discovered May 2, 2005, Sober.P (also known as Sober.O) is a mass-mailing email worm that sends itself in either German or English language, depending on the intended recipient's domain. As with previous Sober variants, the worm uses social engineering in an attempt to persuade recipients to open the infected attachment.

Email characteristics
The email spoofs the From address, in some cases making it appear to come from an official sounding source. For example, the displayed From may be one of the following: Admin, hostmaster, info, postmaster, register, service, or webmaster.

In English language versions, the Subject will be one of the following:

  • Re:
  • Your Password
  • Registration Confirmation
  • Your email was blocked
  • mailing error

In English language versions, the body of the email may be:

    ---------------------
    Account and Password Information are attached!

    Visit: <website of spoofed sender>

    *** AntiVirus: No Virus found
    *** "<target domain name>" Anti-Virus
    *** <target website address>
    ---------------------

or it may simply be:

    ---------------------
    ok ok ok,,,,, here is it
    ---------------------

(Note: The --- are used in the example above as a separator and are not part of the email worm's message.)

Action on infection
Sober.P drops the following files to the C:\Windows\Connection Wizard\Status folder:

  • csrss.exe
  • services.exe
  • smss.exe

Sober.P modifies the system Registry run keys to load when Windows is started:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
WinStart = "%Windows%\Connection Wizard\Status\services.exe

Sober.P searches for and attempts to delete files matching the following characteristics: A*.exe, Luc*.exe, Ls*.exe, and Luu*.exe. In addition, the Sober.P worm disables the Windows XP SP2 firewall and Windows Update.

Manual Removal
Scan the system with updated antivirus software and delete any files found infected with Sober.P. Delete the WinStart = "%Windows%\Connection Wizard\Status\services.exe registry value.

Update: At midnight May 9th, the Sober.P worm stopped its mass-mailing and presumably begun downloading and executing other infected files. Even worse, your antivirus software may be unable to detect Sober.P - even if fully up to date. Read more: Sober hangover begins.

Sober.P aliases

BitDefender - Sober.O
ClamAV - Sober.P
Command - Sober.O
F-Secure - Sober.P
Kaspersky - Sober.P
McAfee - Sober.P
Panda - Sober.V
Sophos - Sober.N
Symantec - Sober.O
Trend - Sober.S

Explore Antivirus Software

More from About.com

Browse All About.com

Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software
  4. Latest Threats
  5. Sober.P worm threatens

©2008 About.com, a part of The New York Times Company.

All rights reserved.