Mobile menu

Virus alert: sober.j launches attack
Thread poster: Natalie

Natalie  Identity Verified
Local time: 16:44
Member (2002)
English to Russian
+ ...

Nov 19, 2004

Sober.j prevention and cure

This common e-mail virus is reportedly spreading rapidly, mostly in Europe

By Robert Vamosi
Senior Edition, CNET Reviews

The worm Sober.j is an e-mail virus spreading rapidly, mostly in Europe, written in both German and English, that attempts to install a backdoor Torjan horse.

Sober.j (, also known as Sober.i) arrives as an e-mail from someone you might know. The attached file is either an exe or zip-compressed file. The e-mail has various subject lines and body texts, so it's best to simply avoid opening attached files unless you are certain of its content. Sober.j does not affect users of Mac OS, Linux, or any other operating systems. Because Sober.j spreads via e-mail, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
Sober.j arrives as an e-mail with various subject lines and body texts written in either German or English. The attached file is either a pif, zip, or bat.

Once running, Sober.j creates a bogus error message:

"WinZip_Data_Module is missing ~Error: {[random number]}"

It also create files named by combining three of the following with the extension .exe:


For example, Sober.j would create files like these:


The names are also used in the Registry key listings, for example:

HKLM\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler"
HKCU\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx"
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32"

According to McAfee, the worm creates the following files in the Windows system folder:

clonzips.ssc (78,090 bytes)
clsobern.isc (77,738 bytes)
cvqaikxt.apk (0 bytes)
dgssxy.yoi (0 bytes)
nonzipsr.noz (77,738 bytes)
Odin-Anon.Ger (0 bytes)
sb2run.dii (0 bytes)
sysmms32.lla (0 bytes)
winexerun.dal (1,779 bytes)
winmprot.dal (1,832 bytes)
winroot64.dal (672 bytes)
winsend32.dal (1,779 bytes)
zippedsr.piz (78,090 bytes)

Do not open e-mail attached files unless you are absolutely certain of the contents. If you must open an attached file, save it to your hard drive first, then have your antivirus scanner process it before opening.

Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see

Direct link Reply with quote

Fernando Toledo  Identity Verified
Local time: 16:44
Member (2005)
German to Spanish
Sorry but... Nov 19, 2004

...I can not believe there are still people that open so a file?

where is the problem?

It is the same old shoe.

Danger comes from emails where you do not need to do anything or urls where simply visiting it can infect you, but a "Pif" file? please, I hope there is no one translator so naive to open it.


Direct link Reply with quote

Christine Andersen  Identity Verified
Local time: 16:44
Member (2003)
Danish to English
+ ...
"Someone you might know" is the problem! Nov 22, 2004

The advice about saving the file onto your harddisk and having your virus program check it is the most important. (And you have, of course updated your virus program this morning?

I get files from lots of people - most of my jobs among other things... and if a new outsourcer contacts me, or one of my colleagues has an address I don't know by heart... Translators get files from everywhere!

It's not stupid if you get a mail you don't recognise at once, but do remember the simple safety routine, even when you think you trust the sender!

Besides, even your best friends and most trusted agents may have 'caught' a virus by accident. I've learnt the hard way! So check them anyway...

Thanks for the warning, Natalie!

Direct link Reply with quote
Charlotte Blank  Identity Verified
Local time: 16:44
Czech to German
+ ...
It's even more dangerous... Nov 23, 2004

Hi everybody,

I just got a mail from hotmail (at least that's what was written as sender), subject: Your password. I never had anything to do with hotmail but being curious I opened it and there was - right - a zip-attachment, So far ist was "normal" but the end of this mail was

"*-*-* Anti_Virus: No Virus was found
> *-*-* FONI- Anti_Virus Service
> *-*-*"

which meant - to me - that this mail had been checked by my provider's antivirus system. I was astonished to read this and forwarded the mail to my yahoo- and Czech addresses - and, oh wonder, both of them detected this sober-worm.
So I wrote a letter to foni and asked how this "No Virus was found" came into my mail and they told me that it's more and more common for virus-writers to include such messages...
So be on your guards more than ever and don't trust anyone and any mail (isn't it really a shame?!)!


PS Any attachment which has about 78 KB seems to be suspicious

[Edited at 2004-11-23 18:20]

Direct link Reply with quote

To report site rules violations or get help, contact a site moderator:

You can also contact site staff by submitting a support request »

Virus alert: sober.j launches attack

Advanced search

Déjà Vu X3
Try it, Love it

Find out why Déjà Vu is today the most flexible, customizable and user-friendly tool on the market. See the brand new features in action: *Completely redesigned user interface *Live Preview *Inline spell checking *Inline

More info »
Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »

All of
  • All of
  • Term search
  • Jobs