Tech Tips Home
The Best Tech Tips And Daily Deals
Newsletter On The Internet!

WorldStart Tech Tip And Store Search
Email: Password: Login Remember Me
looking for freeware

Like what you see here? Subscribe to the Tech Tips newsletter!   Email: Subscribe

W32/Sober Strikes Again

Saturday, May 14th, 2005 by | Filed Under: Security Help

W32/Sober Strikes Again


Since October of 2003 the W32/Sober and its variants have been have really done all they could to establish themselves as a constant threat to the unfortunate and under-secure. Well they’re at it again, with some new variants out there and they are doing such a good job that McAfee elevated its threat level to “Medium” and Symantec to “Wild”.

The W32/Sober and all its variants are mass mailers, which means that one of their primary jobs is to find any email addresses on your system and send copies of itself out to these potential recipients. These emails all have attachments with the usual ominous Zip file extensions that contain the file winzipped-text_data.txt.pif that springs into action if initiated and not kept in check by your anti-virus. The emails come in two languages English and German, with a couple of different subject types and message bodies, for example of such an email is as so:

NOTE: The following example is from McAfee’s site
Subject: Your Password
Account and Password Information are attached!
Visit: http://www. {sender’s domain}
*** AntiVirus: No Virus found
*** “{recipient’s domain} ” Anti-Virus
*** http://www. {recipient’s domain}

This is just one of many different emails being sent out with the Sober attachment. In Germany an infected email with the subject line of “2006 World Cup Soccer” was largely responsible for the insane percentage numbers reported by Sophos from the weekend of Mother’s Day. You’re not going to believe this: the W32/Sober was responsible for 4.65% of all email making up 77% of emailed viruses. If that doesn’t make you want to get your machine updated and secure then it’s likely nothing I could ever say would.

If you are infected you can expect the following to happen:

1. You’ll be tipped off that something’s wrong by an error message referencing a Cyclic Redundancy Check or CRC Error.

2. After that the virus goes quickly to work creating, finding and replacing various files/folders throughout your PC and network.

3. Adds values to the Registry

4. Checks to see what kind of network connection you may have by contacting an NTP (Network Time Protocol) server

5. Goes through the system harvesting email address by their file types avoiding ones that lead to itself or contain a specific string within the address.

6. Once it has an acceptable list of email addresses it proceeds then to email out copies of it self out to them in an attempt to infect other unfortunates.

7. To insure a long fruitful life at your expense the virus replaces the Symantec’s Live Update folder with it’s own which consequently stops any updates from Symantec from taking place and turns Off the XP firewall.

If you are unfortunate enough to run into this unsavory fellow and it gets the best of you then here’s a couple of things that you might find useful. Symantec and McAfee both have downloadable removal tools as well as the manual removal instructions at their site. Most reputable anti-virus programs should have the new W32.Sober variant covered in their updates so make sure you update whatever anti-virus software you use. That goes for your operating system as well—this virus affects all versions of windows including NT and Server 2003.

Above all else, common sense is your best defense. Watch what you and others are doing on your PC. Don’t be hasty and risk becoming your own enemy, don’t allow yourself to be fooled or blinded by some strange email with an attachment. Keep these things in mind and you’ll be fine.

Stay safe out there,

~ Chad




Chad Stelnicki

Leave a Reply

Like these tips? Get them for FREE in your email!

WorldStart's Tech Tips Newsletter

  • Tech Tips Daily - Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

  • Tech Tips Weekly - If you don't want our Tech Tips newsletter every day, then sign up for this weekly newsletter to get the best information of the week. Sent on Fridays.

Other Newsletters

  • WorldStart's Daily Deals - Every week, we send out great deals in our Daily Deals newsletter. Many of these deals are exclusively for our Daily Deals newsletter subscribers and can't be found with our regular specials.

  • Just For Grins - Each issue includes a couple clean jokes, some funny quotes, and a hilarious reader's story. Newsletter is sent five days a week.

Enter Email Address:


Your e-mail address is safe with us!
We only use it to send you the newsletters you request. It is NEVER disclosed to a third party for any reason, ever! Plus, if you decided you don't like our newsletters (don't worry, you'll love them), unsubscribing is fast and easy.

Free Newsletter Signup

Tech Tips Daily

Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

Tech Tips Weekly

The week's best in tech and computer help. Get your issue sent to your email every Friday!

WorldStart's Daily Deals

The very best deals on the Internet! Get a new set of incredible sales every day of the week!

Just For Grins

Clean jokes, funny quotes, and hilarious comics. Sent 5 times a week straight to your email.


Love Worldstart? Refer A Friend!

looking for freeware
WorldStart's Premium Membership

Tip Archive