Antivirus vendors are rushing to update signature files to detect a new Sober worm variant that is becoming widespread.
"I suspect the virus writers are launching these things from zombie computers or bot farms to get the 'instant spread,'" said Roger Thompson, vice president of product development at PestPatrol.
W32.Sober-F@mm travels as either a .pif or a .zip file and sends its message in either German or English depending on the domain of the e-mail address it's sent to.
The worm is ranked as a medium-level threat for corporate users. Sober-F adds files to the system folder and creates registry keys to execute on system boot. According to Santa Clara, Calif.-based Network Associates, "This worm is intended to spread by sending itself to e-mail addresses found on the local system. The worm does not use any exploits in order to execute the attachment automatically. The worm is difficult to find and hides from many antivirus scanners. "
Experts recommend filtering executable attachments -- .exe, .pif, .scr, .com, .bat, .vbs, .lnk, and .hta, among them -- at the gateway and disabling HTML in e-mail either by filtering at the e-mail perimeter or at the e-mail client.