ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-19 22:47	Severity was raised from 3/4 to 4/4.
2004-11-19 13:03	Description was changed. New: "It does not have destructive effects. It spreads via e-mail in a message with variable characteristics." Old: "It spreads via e-mail in a message with variable characteristics."

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-19 16:01	Description was changed. New: "F-secure has raised alert level of this virus to Radar LEVEL 2:" Old: "Sober.I appeared on November 19th, 2004. This Sober is similair to previous versions. It sends itself as an attachment to e-mail messages with different subject and body texts. Messages are composed from either German or English text strings."
2004-11-19 11:51	Description was changed. New: "Sober.I appeared on November 19th, 2004. This Sober is similair to previous versions. It sends itself as an attachment to e-mail messages with different subject and body texts. Messages are composed from either German or English text strings." Old: "Email worm Sober.I is spreading, mostly in Europe. It sends highly variable German and English emails with an attachment. The virus drops several files to infected systems, including spool32dir.exe."
2004-11-19 11:41	Severity was raised from N/A to 2/3.
2004-11-19 11:41	Description was changed. New: "Email worm Sober.I is spreading, mostly in Europe. It sends highly variable German and English emails with an attachment. The virus drops several files to infected systems, including spool32dir.exe." Old: "We are getting reports of a new Sober variant. More information will follow."
2004-11-19 11:31	Severity was decreased from 2/3 to N/A.
2004-11-19 11:31	Severity was raised from N/A to 2/3.

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-20 00:31	Updated information about removal tool/instructions.
2004-11-19 23:01	Description was changed. New: "This is a new variant of this massmailer, compressed with UPX, which sends itself to harvested mail addresses found on an infected machine." Old: "If you think that you may be infected with W32/Sober.j@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are ca..."
2004-11-19 23:01	Updated information about removal tool/instructions.
2004-11-19 20:46	Description was changed. New: "If you think that you may be infected with W32/Sober.j@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are ca..." Old: "This is a new variant of this massmailer, compressed with UPX, which sends itself to harvested mail addresses found on an infected machine."
2004-11-19 20:46	Updated information about removal tool/instructions.
2004-11-19 15:32	Description was changed. New: "This is a new variant of this massmailer, compressed with UPX, which sends itself to harvested mail addresses found on an infected machine." Old: "An Extra.dat and a Superextra.dat are available for download, and the 4409 DATs will be released early for this threat. Download EXTRA.DAT Download SUPEREXTRA.DAT Note: Receiving an email alert stating that the virus came from your email address is n..."
2004-11-19 13:02	Description was changed. New: "An Extra.dat and a Superextra.dat are available for download, and the 4409 DATs will be released early for this threat. Download EXTRA.DAT Download SUPEREXTRA.DAT Note: Receiving an email alert stating that the virus came from your email address is n..." Old: "Note: 4409DATs will be released shortly."
2004-11-19 13:02	File size was changed. New: "56,808 bytes (UPX'ed) 46,056 bytes (UPX'ed)" Old: "56808 bytes (UPX packed)"
2004-11-19 11:57	Description was changed. New: "Note: 4409DATs will be released shortly." Old: "Top of Page"
2004-11-19 11:27	Severity was raised from 2/7 to 4/7.
2004-11-19 11:27	Description was changed. New: "Top of Page" Old: "AVERT has received a sample of this threat and is currently in the process of analyzing it. Details will be posted when they are available. Please check back shortly. Top of Page"
2004-11-19 11:27	File size was changed. New: "56808 bytes (UPX packed)" Old: "N/A"

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-24 23:34	Description was changed. New: "W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to the addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies and has a .bat, .com, .pif, .scr, or .zip extension. The attachment may also have a double file extension. " Old: "W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to the addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension. "
2004-11-23 23:34	Description was changed. New: "W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to the addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension. " Old: "W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension. "
2004-11-19 20:33	Description was changed. New: "W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension. " Old: "W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. "
2004-11-19 20:33	File size was changed. New: "56,808 bytes" Old: "56808 bytes"
2004-11-19 20:33	Updated information about removal tool/instructions.
2004-11-19 15:04	File size was changed. New: "56808 bytes" Old: "N/A"
2004-11-19 15:00	File size was changed. New: "N/A" Old: "56808 bytes"
2004-11-19 14:54	File size was changed. New: "56808 bytes" Old: "N/A"
2004-11-19 12:39	Severity was raised from 2/5 to 3/5.
2004-11-19 12:39	Description was changed. New: "W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. " Old: "W32.Sober.I@mm is a variant of the Sober family of worms. It is a mass-mailing worm that uses its own SMTP engine to spread by sending an email to addresses gathered from files on the infected computer. These emails may be in either English or German. "
2004-11-19 11:10	Description was changed. New: "W32.Sober.I@mm is a variant of the Sober family of worms. It is a mass-mailing worm that uses its own SMTP engine to spread by sending an email to addresses gathered from files on the infected computer. These emails may be in either English or German. " Old: "W32.Sober.I@mm is a variant of the Sober family of worms and spreads via email."

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-20 19:41	Severity was raised from N/A to 2/3.
2004-11-20 19:41	Description was changed. New: "As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is propagating via email in Germany, France, and Austria. Users are advised to be wary of email messages containing the following message body:" Old: "N/A"
2004-11-20 18:45	Severity was decreased from 2/3 to N/A.
2004-11-20 18:45	Description was changed. New: "N/A" Old: "As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is propagating via email in Germany, France, and Austria. Users are advised to be wary of email messages containing the following message body:"
2004-11-19 16:12	Description was changed. New: "As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is propagating via email in Germany, France, and Austria. Users are advised to be wary of email messages containing the following message body:" Old: "As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is spreading via email in Germany, France, and Austria. Users are advised to be wary of email messages containing the following message body:"
2004-11-19 14:26	Description was changed. New: "As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is spreading via email in Germany, France, and Austria. Users are advised to be wary of email messages containing the following message body:" Old: "As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is spreading via email in Germany, France, and Australia. Users are advised to be wary of email messages containing the following message body:"
2004-11-19 14:05	Description was changed. New: "As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is spreading via email in Germany, France, and Australia. Users are advised to be wary of email messages containing the following message body:" Old: "As of November 19, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in France, Germany, and Austria."
2004-11-19 13:52	Description was changed. New: "As of November 19, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in France, Germany, and Austria." Old: "As of November 19, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in France, Germany, and Australia."
2004-11-19 12:32	Description was changed. New: "As of November 19, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in France, Germany, and Australia." Old: "As of November 11, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in the France, Germany, and Australia."
2004-11-19 11:02	Description was changed. New: "As of November 11, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in the France, Germany, and Australia." Old: "As of November 11, 2004 at 1:31 AM (GMT -8:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of this new SOBER variant. This mass-mailing worm uses its own SMTP (Simple Mail Transfer Protocol) engine, and is spreading in France, Germany, and Australia."
2004-11-19 10:55	Description was changed. New: "As of November 11, 2004 at 1:31 AM (GMT -8:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of this new SOBER variant. This mass-mailing worm uses its own SMTP (Simple Mail Transfer Protocol) engine, and is spreading in France, Germany, and Australia." Old: "As of November 11, 2004 at 1:31 AM (GMT -8:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of this new SOBER variant. This mass-mailing worm uses its own SMTP (Simple Mail Transfer Protocol) engine, and is spreading in France, Germany, and Australia.Solution:Identifying the Malware Program"
2004-11-19 10:42	Description was changed. New: "As of November 11, 2004 at 1:31 AM (GMT -8:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of this new SOBER variant. This mass-mailing worm uses its own SMTP (Simple Mail Transfer Protocol) engine, and is spreading in France, Germany, and Australia.Solution:Identifying the Malware Program" Old: "TrendLabs has received several infection reports regarding this new SOBER variant that is spreading via email in France, Germany, and Australia. Details of this malware will be posted shortly.Solution:Identifying the Malware Program"

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-22 03:41	Description was changed. New: "Sober.I is a worm that spreads via e-mail. The worm has been distributed as a 56,808-byte, UPX-packed, Win32 executable or as a 57,064-byte ZIP archive. Once activated, the worm displays a fake error message:" Old: "Sober.I is a worm spreading through the e-mail system. The worm has been distributed as a 56,808-byte UPX Win32 executable or a 57,064-byte ZIP archive. Once activated, the worm display a fake error message:"
2004-11-19 20:01	Description was changed. New: "Sober.I is a worm spreading through the e-mail system. The worm has been distributed as a 56,808-byte UPX Win32 executable or a 57,064-byte ZIP archive. Once activated, the worm display a fake error message:" Old: "Sober.I is a worm spreading through the e-mail system. The worm has been distributed as a 46,056-byte UPX Win32 executable or a 57,064-byte ZIP archive. When executed the worm copies itself to the System folder using a variable name constructed from the following strings:"
2004-11-19 20:01	File size was changed. New: "56,808" Old: "46,056"
2004-11-19 16:06	Severity was raised from N/A to 3/5.
2004-11-19 16:06	Description was changed. New: "Sober.I is a worm spreading through the e-mail system. The worm has been distributed as a 46,056-byte UPX Win32 executable or a 57,064-byte ZIP archive. When executed the worm copies itself to the System folder using a variable name constructed from the following strings:" Old: "N/A"
2004-11-19 16:06	File size was changed. New: "46,056" Old: "N/A"

ChangeLog:
Changes are listed in chronological order with the latest changes first.
2004-11-23 23:33	Severity was raised from 3/5 to 5/5.