New Sober Variant Spreads

A new version of the Sober e-mail worm is spreading, according to antivirus vendors, who have given the worm a midlevel threat rating.

The worm began spreading in Europe on Friday, and by the end of the workday there, it had spread to North America and was propagating there as well, says Marius van Oers, an Amsterdam-based antivirus research engineer at McAfee.

The Sober variant is referred to as Sober.j by McAfee and as Sober.i and by F-Secure and Kaspersky Labs. This variant is the latest version of a worm that first appeared in October last year.

The new worm sends itself as an attachment to German and English e-mail messages. Infected messages have various subjects and body texts. The worm is not activated until the recipient opens the attachment. Once opened, a fake error message is displayed and the worm creates two files in the Windows directory.

Similar to Previous Versions

Like its predecessors, Sober.i spreads by skimming e-mail addresses from victims' computers, then mailing copies of itself to those addresses.

The two files make it harder to manually remove the worm from an infected system, Van Oers says. Both files are loaded in the system's memory and when one is deleted the other will recreate it, he says. Antivirus software is able to remove the worm, he says.

In spreading, Sober.i adapts its message for German speaking audiences, inserting a German-language version of its pitch message into e-mail addresses belonging to German domains, such as those ending in .de for Germany, .ch for Switzerland, and .at for Austria, F-Secure of Helsinki says in an advisory.

"It appears that the virus originated in Germany," McAfee's Van Oers says.

Sober.i appears to do no damage to users' systems other than replicating itself. The worm does try to download software from a remote location, but that feature did not work when tested by McAfee, Van Oers says. The worm does not install any keystroke loggers or backdoors into the user's system.