Antivirus firms have been flooded with reports of a new Sober variant that uses random e-mail messages to trick users into opening infected attachments. This worm won't destroy the PCs it infects, but experts say it could seriously bog down e-mail servers.
"This is starting to push the boundaries of a medium risk assessment," Craig Schmugar, virus research manager for Santa Clara, Calif.-based McAfee Inc., said Monday afternoon. "We had reports from 8,000 customers in three hours."
Fortunately, Schmugar said, this latest variant -- named W32.Sober-P by McAfee, W32.Sober-O by Cupertino, Calif.-based Symantec Corp., W32.Sober-N by Lynnfield, Mass.-based Sophos, and Worm_Sober-S by Tokyo-based
According to Symantec, initial analysis indicates Sober-O spreads as e-mail attachments with such labels as account_info-text.zip, mail_info.zip or our_secret.zip. The worm uses its own SMTP engine to spread to addresses gathered from the machines it infects. Random e-mail messages may be in English or German. One German message claims the recipient has won World Cup soccer tickets.
"We're seeing a trend where you have more of these locally tailored viruses," said Alfred Huger, senior director of engineering for Symantec. "Soccer is very big in Germany, so the message is designed to give the worm better pick-up there."
Huger said the worm doesn't belong in the same arena as a Sasser or Mydoom. But it's the fastest-spreading worm in recent months, prompting Symantec to issue the Level 3 alert. "At this stage, we're getting 70 submissions an hour, which is a middle-of-the-road level 3," he said.