325:
government. The e-mail claimed that the recipient had been caught visiting illegal websites, and asked the user to open an attachment to answer some questions. Once the infected attachment was opened a variety of system-damaging events occurred: anti-virus and other security measures were disabled,
363:
Other variants (such as Sober.B) sent e-mails with subject headers also indicated political intent, but these seemed to be designed to arouse the victim's interest, so that he or she would open the e-mail's attachment. Sober.Q does not send e-mails with attachments, instead preferring links to web
383:(Nationalist Party of Germany) with links to their website, as well as other forum entries. It is, however, unknown whether this virus originated from the NPD themselves, supporters of the party, a hacker group trying to place the blame on the party or a group attempting to discredit the party.
386:
Similar to the above incident, the Sober virus was used again in 2005 by an unidentified German group to send out a widespread distribution of links to various political articles and commentaries. The effort seemed to be linked to German elections around the same time period.
49:
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of several files in the
Windows directory, depending on the variant. It then adds appropriate keys to the
458:
326:
as well as the ability to access websites for assistance; furthermore, contacts in the user's address book were sent an identical e-mail. It is also suspected that Sober.X functions as
360:
Sober.Q appeared. Whereas previous variants appeared to be motivated by commercial gain or by malicious intent, this was the first to seem politically motivated.
254:
to ensure activation on
Windows startup, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.
185:
The Sober worms must be unpacked and run by the user. Upon execution, Sober copies itself to one of the following files in the
Windows directory: -
517:
849:
491:
875:
870:
682:
865:
767:
612:
380:
1083:
762:
570:
341:
699:
54:, along with a few empty files in the Windows directory. These empty files are used to deactivate previous Sober variants.
484:
345:
333:
MessageLabs, a computer security company, caught at least three million copies within 24 hours after the breakout, and
694:
622:
954:
793:
314:
262:
Sober can e-mail itself to all addresses in a user's e-mail address book. It spreads via e-mail using its own
1227:
522:
512:
477:
586:
17:
318:
313:
E-mails containing the Sober X worm were sent around the
Internet disguised as an e-mail from either the
337:, another system security research firm, reported over 70,000 cases of the virus on consumer computers.
709:
689:
885:
959:
907:
719:
1217:
1026:
985:
734:
1052:
1047:
638:
617:
376:
441:
1140:
1042:
1016:
757:
1222:
1078:
591:
8:
783:
167:
901:
554:
275:
677:
607:
131:
62:
39:
464:
643:
279:
251:
51:
38:
that was discovered on
October 24, 2003. Like many worms, Sober sends itself as an
1166:
828:
808:
788:
778:
379:. Most appeared to be in support of, or directly from the German political party
357:
1192:
1135:
1099:
895:
714:
1211:
1156:
938:
803:
729:
322:
35:
1130:
818:
813:
664:
157:
58:
1104:
1001:
823:
752:
672:
429:
1109:
724:
649:
548:
469:
283:
162:
152:
147:
142:
137:
1182:
1161:
368:
43:
111:
Sober.Y (not a variant, but another name for Sober.X, often used by
1187:
1114:
1073:
1021:
933:
833:
704:
340:
A similar e-mail circulated in
Germany. Claiming to be sent by the
112:
1006:
918:
404:
372:
344:, the e-mail told its readers that they were caught downloading "
327:
459:
Internet virus circulates disguised as e-mail from US government
1057:
798:
744:
334:
1011:
964:
367:
Sober.Q spread on computers to send messages of support for
969:
263:
330:
by stealing personal information about the infected user.
444:, by Alan Connor, opendemocracy.net article, 23 May 2005.
269:
348:" software. Sober.X was included in an attachment.
1209:
485:
375:pending the local elections in the state of
308:
492:
478:
442:Spam with everything in Germany's election
571:Sony BMG copy protection rootkit scandal
499:
351:
295:October 24, 2003 – First discovery
14:
1210:
473:
432:, By Bob Sullivan, NBC News, 5/16/05.
430:German political spam spread by virus
274:Sober can deactivate several popular
250:It then adds appropriate keys to the
125:
24:
25:
1239:
451:
304:November 15, 2005 – Sober.X
301:November 14, 2005 – Sober.T
270:Deactivation of security software
68:
461:." Wikinews, November 26, 2005.
315:Federal Bureau of Investigation
435:
423:
397:
13:
1:
390:
298:March 3, 2005 – Sober.L
902:Kaminsky DNS cache poisoning
646:(findings published in 2010)
403:
321:, both organizations of the
289:
180:
7:
319:Central Intelligence Agency
46:, and fake advertisements.
10:
1244:
175:
90:
1175:
1149:
1123:
1092:
1066:
1035:
994:
978:
947:
926:
917:
884:
858:
842:
743:
663:
631:
600:
579:
563:
541:
534:
505:
309:21 November 2005 outbreak
257:
27:Family of computer worms
623:US military cyberattack
613:Cyberattacks on Georgia
587:Cyberattacks on Estonia
364:sites with no viruses.
618:Sarah Palin email hack
377:North Rhine-Westphalia
42:, fake webpages, fake
758:Jeanson James Ancheta
352:Political motivations
280:Microsoft AntiSpyware
278:packages, as well as
61:and only runs on the
1228:Hacking in the 2000s
592:Operation: Bot Roast
500:Hacking in the 2000s
57:Sober is written in
168:Windows Server 2003
555:Operation Firewall
276:antivirus software
126:Affected platforms
1205:
1204:
1201:
1200:
683:associated events
659:
658:
608:Project Chanology
529:
528:
356:In May 2005, the
342:Bundeskriminalamt
132:Microsoft Windows
118:S32/Sober@MMIM681
63:Microsoft Windows
40:e-mail attachment
16:(Redirected from
1235:
924:
923:
775:str0ke (milw0rm)
644:Operation Aurora
539:
538:
508:
507:
494:
487:
480:
471:
470:
465:BBC news article
445:
439:
433:
427:
421:
420:
418:
416:
401:
252:Windows registry
52:Windows registry
21:
1243:
1242:
1238:
1237:
1236:
1234:
1233:
1232:
1208:
1207:
1206:
1197:
1171:
1145:
1119:
1088:
1062:
1031:
990:
974:
955:Anna Kournikova
943:
913:
888:
886:Vulnerabilities
880:
854:
838:
829:Dmitry Sklyarov
809:Albert Gonzalez
739:
655:
627:
596:
575:
559:
530:
501:
498:
454:
449:
448:
440:
436:
428:
424:
414:
412:
402:
398:
393:
354:
311:
292:
272:
260:
183:
178:
128:
121:W32/Sober.AA@mm
102:W32/Sober-{X-Z}
93:
71:
34:is a family of
28:
23:
22:
15:
12:
11:
5:
1241:
1231:
1230:
1225:
1220:
1218:Computer worms
1203:
1202:
1199:
1198:
1196:
1195:
1190:
1185:
1179:
1177:
1173:
1172:
1170:
1169:
1164:
1159:
1153:
1151:
1147:
1146:
1144:
1143:
1141:Black Energy 1
1138:
1133:
1127:
1125:
1121:
1120:
1118:
1117:
1112:
1107:
1102:
1096:
1094:
1090:
1089:
1087:
1086:
1081:
1076:
1070:
1068:
1064:
1063:
1061:
1060:
1055:
1050:
1045:
1039:
1037:
1033:
1032:
1030:
1029:
1024:
1019:
1014:
1009:
1004:
998:
996:
992:
991:
989:
988:
982:
980:
976:
975:
973:
972:
967:
962:
957:
951:
949:
945:
944:
942:
941:
936:
930:
928:
921:
915:
914:
912:
911:
905:
899:
896:Shatter attack
892:
890:
882:
881:
879:
878:
873:
868:
862:
860:
859:Hacking forums
856:
855:
853:
852:
846:
844:
840:
839:
837:
836:
831:
826:
821:
816:
811:
806:
801:
796:
791:
786:
781:
776:
773:
770:
765:
760:
755:
749:
747:
741:
740:
738:
737:
732:
727:
722:
717:
715:PLA Unit 61398
712:
707:
702:
697:
692:
687:
686:
685:
675:
669:
667:
661:
660:
657:
656:
654:
653:
647:
641:
639:Operation Troy
635:
633:
629:
628:
626:
625:
620:
615:
610:
604:
602:
598:
597:
595:
594:
589:
583:
581:
577:
576:
574:
573:
567:
565:
561:
560:
558:
557:
552:
545:
543:
536:
532:
531:
527:
526:
520:
515:
506:
503:
502:
497:
496:
489:
482:
474:
468:
467:
462:
453:
452:External links
450:
447:
446:
434:
422:
395:
394:
392:
389:
353:
350:
310:
307:
306:
305:
302:
299:
296:
291:
288:
271:
268:
259:
256:
248:
247:
244:
241:
238:
235:
232:
229:
226:
223:
220:
217:
214:
211:
208:
205:
202:
199:
196:
193:
190:
182:
179:
177:
174:
173:
172:
171:
170:
165:
160:
155:
150:
145:
140:
127:
124:
123:
122:
119:
116:
109:
106:
103:
100:
97:
92:
89:
88:
87:
84:
81:
78:
75:
70:
69:Known variants
67:
36:computer worms
26:
9:
6:
4:
3:
2:
1240:
1229:
1226:
1224:
1221:
1219:
1216:
1215:
1213:
1194:
1191:
1189:
1186:
1184:
1181:
1180:
1178:
1174:
1168:
1165:
1163:
1160:
1158:
1155:
1154:
1152:
1148:
1142:
1139:
1137:
1134:
1132:
1129:
1128:
1126:
1122:
1116:
1113:
1111:
1108:
1106:
1103:
1101:
1098:
1097:
1095:
1091:
1085:
1082:
1080:
1077:
1075:
1072:
1071:
1069:
1065:
1059:
1056:
1054:
1051:
1049:
1046:
1044:
1041:
1040:
1038:
1034:
1028:
1025:
1023:
1020:
1018:
1015:
1013:
1010:
1008:
1005:
1003:
1000:
999:
997:
993:
987:
984:
983:
981:
977:
971:
968:
966:
963:
961:
958:
956:
953:
952:
950:
946:
940:
937:
935:
932:
931:
929:
925:
922:
920:
916:
909:
906:
903:
900:
897:
894:
893:
891:
887:
883:
877:
874:
872:
869:
867:
864:
863:
861:
857:
851:
848:
847:
845:
841:
835:
832:
830:
827:
825:
822:
820:
817:
815:
812:
810:
807:
805:
802:
800:
797:
795:
792:
790:
787:
785:
782:
780:
777:
774:
771:
769:
766:
764:
761:
759:
756:
754:
751:
750:
748:
746:
742:
736:
733:
731:
730:World of Hell
728:
726:
723:
721:
718:
716:
713:
711:
708:
706:
703:
701:
698:
696:
693:
691:
688:
684:
681:
680:
679:
676:
674:
671:
670:
668:
666:
662:
651:
648:
645:
642:
640:
637:
636:
634:
630:
624:
621:
619:
616:
614:
611:
609:
606:
605:
603:
599:
593:
590:
588:
585:
584:
582:
578:
572:
569:
568:
566:
562:
556:
553:
550:
547:
546:
544:
540:
537:
533:
525: →
524:
521:
519:
516:
514:
511:←
510:
509:
504:
495:
490:
488:
483:
481:
476:
475:
472:
466:
463:
460:
456:
455:
443:
438:
431:
426:
410:
406:
400:
396:
388:
384:
382:
378:
374:
370:
365:
361:
359:
349:
347:
343:
338:
336:
331:
329:
324:
323:United States
320:
316:
303:
300:
297:
294:
293:
287:
285:
281:
277:
267:
265:
255:
253:
245:
242:
239:
237:systemini.exe
236:
234:systemchk.exe
233:
230:
227:
224:
221:
218:
215:
212:
209:
206:
203:
200:
198:driverini.exe
197:
194:
191:
188:
187:
186:
169:
166:
164:
161:
159:
156:
154:
151:
149:
146:
144:
141:
139:
136:
135:
133:
130:
129:
120:
117:
114:
110:
108:Win32.Sober.O
107:
105:Win32.Sober.W
104:
101:
99:WORM_SOBER.AG
98:
95:
94:
85:
82:
79:
76:
73:
72:
66:
64:
60:
55:
53:
47:
45:
41:
37:
33:
19:
1084:Sony rootkit
850:Bluehell IRC
819:Dan Kaminsky
814:Sven Jaschan
437:
425:
413:. Retrieved
408:
399:
385:
366:
362:
355:
339:
332:
312:
273:
261:
249:
243:winlog32.exe
219:services.exe
204:explorer.exe
184:
158:Windows 2000
59:Visual Basic
56:
48:
31:
29:
18:Sober (worm)
1223:Email worms
1002:SQL Slammer
824:Samy Kamkar
745:Individuals
710:Level Seven
673:Ac1db1tch3z
652:(2008–2010)
551:(2003–2006)
415:5 September
409:Wikidot.com
231:syshost.exe
228:swchost.exe
1212:Categories
889:discovered
876:darksun.ws
871:unkn0wn.eu
779:Lil Hacker
725:ShadowCrew
650:WebcamGate
549:Titan Rain
391:References
371:groups in
284:HijackThis
246:winreg.exe
240:winchk.exe
225:spoole.exe
207:filexe.exe
195:driver.exe
163:Windows XP
153:Windows Me
148:Windows NT
143:Windows 98
138:Windows 95
65:platform.
44:pop-up ads
32:Sober worm
1183:Conficker
1162:Agent.btz
690:Avalanche
678:Anonymous
535:Incidents
411:. Wikidot
369:far-right
290:Outbreaks
216:qname.exe
213:lssas.exe
210:hlp16.exe
192:csrss.exe
189:antiv.exe
181:Infection
1188:Koobface
1167:Mariposa
1115:Stration
1110:Clickbot
1074:PGPCoder
1022:Graybird
960:Code Red
934:ILOVEYOU
908:sslstrip
866:ryan1918
843:Darknets
834:Stakkato
772:Digerati
768:Dshocker
735:Sandworm
705:GhostNet
518:Timeline
266:engine.
222:smss.exe
113:F-Secure
1193:Waledac
1100:Rustock
1027:Blaster
1007:Welchia
939:Pikachu
919:Malware
789:camZero
405:"Sober"
373:Germany
358:variant
346:pirated
328:spyware
317:or the
201:drv.exe
176:Actions
134:family
96:CME-681
91:Aliases
86:Sober.Z
83:Sober.Y
80:Sober.X
77:Sober.T
74:Sober.L
1157:Asprox
1058:Mydoom
1053:Sasser
1048:NetSky
986:Simile
910:(2009)
904:(2008)
898:(2002)
804:diabl0
799:Cyxymu
794:Coolio
763:SilenZ
665:Groups
335:McAfee
258:Spread
1131:Storm
1043:Bagle
1017:Gruel
1012:Sobig
965:Nimda
753:AKill
700:0x1fe
523:2010s
513:1990s
1176:2009
1150:2008
1136:ZeuS
1124:2007
1105:ZLOB
1093:2006
1079:Samy
1067:2005
1036:2004
995:2003
979:2002
970:Klez
948:2001
927:2000
784:BadB
695:GNAA
632:2009
601:2008
580:2007
564:2005
542:2004
417:2018
282:and
264:SMTP
30:The
720:RBN
381:NPD
1214::
407:.
286:.
493:e
486:t
479:v
457:"
419:.
115:)
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.