Severity: Medium

Win32.Sober.W

Overview: Zone Labs is monitoring the rapidly increasing spread of the email worm, Win32.Sober.W. This worm presents a significant risk to computer users. As such, this vulnerability has been classified “Medium Risk.”


Date Published: Nov 21, 2005
Date Last Revised : Nov 21, 2005


Impact: Win32.Sober.W attempts to compromise system integrity in the following ways:

• Spread through email
• Terminate Processes

Description: Win32.Sober.W spreads via e-mail attachments ending in .zip extension. The e-mail messages can be either in English or German. Upon execution, the worm creates WinSecurity folder in the %Windows% folder (variable location, depending on the operating system). It copies itself to the WinSecurity folder as services.exe, smss.exe and csrss.exe and modifies the registry to execute the following at every Windows restart.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows = "%Windows%\WinSecurity\services.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_Windows = "%Windows%\WinSecurity\services.exe"

For a full list of possible file names, please visit the Zone Labs Virus Information Center: http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=49473.


ZoneAlarm Family ZoneAlarm SmartDefense Advisor blocks the Win32.Sober.W program. ZoneAlarm Anti-Virus and ZoneAlarm Security Suite recognize this worm as Win32.Sober.W . The anti-virus features within these products will recognize and automatically quarantine this worm. Furthermore, ZoneAlarm Pro, ZoneAlarm Anti-Virus, ZoneAlarm Wireless and ZoneAlarm Security Suite prevent infection through Inbound MailSafe Protection which blocks .ZIP file attachments by default. Program Control will alert the computer user if malicious code attempts to access the network.

ZoneAlarm Family:

ZoneAlarm SmartDefense Advisor blocks the Win32.Sober.W program.

ZoneAlarm Anti-Virus and ZoneAlarm Security Suite recognize this worm as Win32.Sober.W . The anti-virus features within these products will recognize and automatically quarantine this worm.

Furthermore, ZoneAlarm Pro, ZoneAlarm Anti-Virus, ZoneAlarm Wireless and ZoneAlarm Security Suite prevent infection through Inbound MailSafe Protection which blocks .ZIP file attachments by default. Program Control will alert the computer user if malicious code attempts to access the network.

Recommended Actions:

• Ensure Inbound MailSafe Protection is enabled and the .zip extension is set to “Quarantine” during the initial outbreak and infection phase.
• Ensure Lock Hosts File in enabled.
  To confirm, select Firewall | Main . Click Advanced . Within the dialogue, confirm the "Lock hosts file" box is checked.
• Monitor Program Control alerts for processes associated with this worm.
• Update antivirus products to provide the most up-to-date protection.

Related Resources:

• Zone Labs Virus Information Center : Win32.Sober.W:
  http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=49473 .

Contact : Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: http://www.zonelabs.com/support/ . To report security issues with Zone Labs products contact security@zonelabs.com .

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Copyright: ©2005 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.