Several antivirus firms said Monday that a new member of the Sober worm family is in the wild. Sober-L is much like its predecessors, with one key difference:
"It locks itself in your computer's memory and rewrites the registry key," said Andrew Lee, chief technology officer for San Diego-based Eset. "Once it's in memory, you can't detect it. It hides itself very well and is extremely hard to clean."
Lee said his firm has gotten reports mostly from Germany and Spain. But there have also been sightings in the United States and elsewhere. "It's very widespread in Germany right now, and there are pockets in other countries," he said.
Lynnfield, Mass.-based Sophos said Sober-L is much like its predecessors, using e-mail attachments to spread and targeting Windows systems. According to the company's advisory, the latest variant:
- Sends itself to e-mail addresses found on the infected computer;
- Forges the sender's e-mail address; and
- Uses its own e-mailing engine.
The firm issued an alert Monday afternoon saying it had received "several reports" of the worm in the wild.
Tokyo-based Trend Micro had also gotten a number of infection reports Monday afternoon. In its advisory, the company said the overall threat was low for now but that the damage and distribution potential was high.