When a variant of Win32/Sober runs, it takes the following actions:
Creates one or more files at <system folder>\<random>.exe and runs them.
Creates a registry value with data: <full path> in registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run This causes the worm to run automatically whenever Windows starts.
Retrieves e-mail addresses that it finds in files on the infected computer, avoiding addresses that contain certain strings.
Creates the file <system folder>\<random>, where it saves those e-mail addresses.
Sends itself as an attachment to the e-mail addresses. The e-mail has a subject line and message body that is in English or German. The e-mail attachment may have one of the following extensions: .bat .exe .pif .src .zip