Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Sober-C [Sophos], Win32.Sober.C [Computer Associates], W32/Sober.c@MM [McAfee], WORM_SOBER.C [Trend], I-Worm.Sober.c [Kaspersky], W32/Sober, W95/Sober.C@mm, W32.Sober.C@mm
Type:Worm 
Size:(min) 74,346 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Medium 
Distribution:Medium 

DistributionWorm/Sober.C1 uses its own SMTP engine for email spreading. The email sent by the worm contains:

Subject:
Betr: Klassentreffen
Testen Sie ihren IQ
Bankverbindungs- Daten
Neuer Dialer Patch!
Ermittlungsverfahren wurde eingeleitet
Ihre IP wurde geloggt
Sie sind ein Raubkopierer
Sie tauschen illegal Dateien aus
Ich hasse dich
Ich zeige sie an!
Sie Drohen mir!!
Anime, Pokemon, Manga, Handy ...
AnmeldebestStigung
Neu! Legales Filesharing
Umfrage: Rente erst mit 80!
du wirst ausspioniert
Ein Trojaner ist auf Ihrem Rechner!
Du hast einen Trojaner drauf!
Hi, Ich bin's
ups, i've got your mail
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...

Attachment:
www.iq4you-german-test.com
www.freewantiv.com
www.free4share4you.com
www.onlinegamerspro-worm.com
www.freegames4you-gzone.com
www.anime4allfree.com
www.animepage43252.com
downloader.exe
yourmail. %random 1%%random2%
alledigis.%random1%

%random 1% can be:
.txt
.doc

%random 2% can be:
.bat
.cmd
.pif
.scr
.exe
.com

Technical DetailsWhen activated, Worm/Sober.C1 is copied in %SystemDIR% with two random file names.
It searches in files of the following type, for email addresses and saves them in C:\%SystemDIR%\Savesyss.dll:
.htt .rtf .doc .xls .ini .mdb .txt .htm .html .wab .pst .fdb .cfg .ldb .eml .abc .ldif .nab .adp .mdw .mda .mde .ade .sln .dsw .dsp .vap .php .nsf .asp .shtml .shtm .dbx .hlp .mht .nfo

It enters the autostart registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""=""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""=""

When first activated, the worm displays the following error message:
Title: Microsoft
Text: "first" has caused an unknown error. Stop: 00000010*08
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .