Sober worm resurfaces
The Sober worm, which caused a big headache for companies at the end of October, has returned.
W32.Sober.B@mm is virtually identical to its predecessor and has been rated as low to medium risk. However, the opportunity remains for major e-mail problems if system administrators are unprepared.
The worm, which was released from Germany and affects Windows operating systems, relies on classic user curiosity. While Sober.A pretended to come from an anti-virus company, headings for Sober B include "George W. Bush plans new war" and "Have you been hacked?".
An attachment with a variety of names from "yourlist" to "gwbush-new-wars" and a .com, .cmd, .exe or .pif file extension. If clicked, the attachment will install the worm on the computer. It also installs its own SMTP engine and starts e-mailing itself to every address it can find on the computer.
The first time the worm is installed, a fake error message appears, presumably to convince those who have opened the attachment that no harm has been done and the attachment is simply broken.
It also installs two versions of itself. If one is tackled, the other will reinstall itself. It also makes some changes in the registry so any infected machine will need the attentions of someone confident with carrying out registry tweaks.
