McAfee today announced that its Anti-virus and Vulnerability Emergency
Response Team (AVERT) raised its risk assessment to “Medium” on the
recently discovered W32/Sober.r, also known as Sober.r.
Sober.r is a fast-moving worm that spreads via e-mail, sending itself to
addresses found on the victim’s machine.
The worm arrives as a ZIP file
that contains an executable file inside, named “PW_Klass.Pic.packed-bitmap.exe.”
And it has many of the same functionalities as its Sober
predecessors, researchers at McAffee’s AVERT said.
Users would need to manually extract the executable from the ZIP file and
manually run the attachment in order to be infected.
The bilingual German and English virus arrives with the subject line “Your
new Password” and contains a body reading: “Your password was successfully
changed! Please see the attached file for detailed information.”
The worm was first reported to McAfee AVERT researchers today and has
received more than 50 reports of the virus in the wild from unique senders.
The mass mailing threat contains its own SMTP engine that constructs
outgoing messages written in both German or English, depending on the
version of Windows, the firm said.
Sober.r harvests addresses from local files and then uses the harvested
addresses to send itself. This enables the worm to produce a message with a
spoofed From address.
The first Sober worm arrived in 2003 and has spread numerous variants around the
Internet since. It spread quickly thanks to the lure of terms such as Paris
Hilton porn and World
Cup soccer tickets.