The latest variant of the prolific Sober worm remains a medium-level threat though fewer antivirus customers are reporting it to vendors. The Sober.r worm gainined attention last night when AV vendor McAfee Inc. upgraded its threat level of medium after getting a dozen samples within an hour of its mass release via spam. Tokyo-based Trend Micro Inc. also upgraded its threat rating based on activity in Japan.
This new strain of the 2-year-old Sober worm that poses as an e-mail notification of a password change. Sober.r arrives in a .zip file attached to an e-mail containing an executable file named "PW_Klauss.Pic.packed-bitmap.exe." The malicious code contains its own SMTP engine to create outgoing messages in English or German, depending on the Windows version running on a machine. This worm spreads by sending itself to addresses stored in a victim's machine. It arrives in a spoofed e-mail with the subject line "Your new password." The body of the message: "Your password was successfully changed! Please see the attached file for detailed information."
Once activated, the worm displays an error message while it's installing itself on the PC. There are no indications it grabs keystrokes or steals passwords, but McAfee's Antivirus and Vulnerability Emergency Response Team (AVERT) raised its threat level to "medium" because of its prevelance.
"The varient came on strongly," AVERT virus researcher Craig Schmugar, said Thursday afternoon. "But it appears to have died down since." That's typical of Sober variants, he said, adding that two more have been released into the wild since Sober.r's announcement.
McAfee took the unusual step of notifying news agencies late last night about Sober.r's potential spread after seeing more than 50 unique reports in the wild immediately following its detection. In its advisory, the company recommends users immediately update their antivirus software to stay protected.