W32.Sober.O@mm worm

May 2, 2005

Another variant of the Sober virus (W32.Sober.O@mm) has been sighted at Virginia Tech. W32.Sober.O@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies.

This worm spreads with one of the following subject lines:

English:
  • Re:Your Password
  • Re:Registration Confirmation
  • Re:Your email was blocked
  • Re:mailing error
  • Re: [blank]
German:
  • Ihr Passwort
  • Mail-Fehler!
  • Ihre E-Mail wurde verweigert
  • Ich bin's, was zum lachen ;)
  • Glueckwunsch: Ihr WM Ticket
  • WM Ticket Verlosung
  • WM-Ticket-Auslosung

Removal

Symantec has released further information and removal instructions for this worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html.

Symantec has also released a removal tools for this worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html.