Kaspersky Lab has detected a new version of Email-Worm.Win32.Sober, Sober.p, which is currently causing an epidemic in Western Europe.
This latest version of Sober was first detected by Kaspersky Lab virus analysts on 2nd May. Data from ISPs shows that this worm is currently the commonest malicious program found in mail traffic. Sober.p has broken records in terms of the number of infected messages sent out and speed of propagation throughout Western European segments of the Internet (e.g. in the Netherlands, Germany and Hungary among others). However, the number of messages which Kaspersky Lab has received about Sober.p from Russian and Asian users has been minimal.
Sober.p spreads as a .zip attachment to infected messages. The attachment contains a packed copy of the worm (which unpacks itself) that is approximately 53KB in size. The message subject is chosen at random from a defined list, as is the message itself. Both may be in German.
The worm is activated when the user launches the attachment. It will cause a fake error message to be displayed ('CRC not complete') and then copies itself to the system directory, naming the copies as if they are system services. It also creates copies of itself in other files, and registers these files in the system registry.
Once it has copied itself, the worm scans the victim machine for addresses to harvest, searching both address books, and a range of files, including text files, Power Point files and databases. Sober.p then sends itself to the addresses collected from the infected machine.
Kaspersky Anti-Virus databases already contain detection for Email-Worm.Win32.Sober.p. The Kaspersky Virus Encyclopaedia contains more information about the worm.