A new variant of the Sober email worm series is spreading rapidly across the net. Like previous variants, Sober-N [1] spreads as an infected ZIP attachment to messages written in either German or English.

Infected emails pose as a message from a net user who claims to have received the intended victim's email in error in a bid to fool users into opening an attachment containing malicious code. The worm composes messages with subject lines such as "I've_got your EMail on my_account!" and "FwD: Ich bin's nochmal" with attachments such as your_text.zip (weighing in at 73KB). Sober-N only infects Windows machines.

More than 86,700 emails containing the new Sober-N were sent to UK businesses since the early hours of Tuesday morning, according to email security company BlackSpider Technologies. Most anti-virus vendors rate Sober as a medium-risk worm. Sober-N is the fourteenth incarnation of a worm first seen [2] in October 2003.

Standard defence precautions against viral attacks apply in defending against Sober-N: corporates should consider blocking executables at the gateway and update anti-virus signature definition files to detect the virus. Home users should also update anti-virus tools and resist the temptation to open suspicious-looking emails. ®

Related stories

Sober worm speaks with forked tongue [3]
Beware sober worm bearing gifts [4]
Sober email worm gives Windows users the DTs [5]
FBI issues Sober notice over Windows worm [6]
The strange decline of computer worms (perhaps we spoke too soon) [7]

Links

1. http://www.f-secure.com/v-descs/sober_n.shtml
2. http://securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html
3. http://www.theregister.co.uk/2004/11/19/sober_worm/
4. http://www.theregister.co.uk/2004/03/08/beware_sober_worm_bearing_gifts/
5. http://www.theregister.co.uk/2003/10/28/sober_email_worm_gives_windows/
6. http://www.theregister.co.uk/2005/02/24/sober_worm_fbi_warning/
7. http://www.channelregister.co.uk/2005/03/17/f-secure_websec/