New version of Sober spreading actively

06 Jan 2006
Virus News

Kaspersky Lab, a leading developer of secure content management solutions that protect against viruses, Trojans, worms, spyware, hacker attacks and spam, has detected a new version of Email-Worm.Win32.Sober. [insert name] [which is currently causing an epidemic in Western Europe.]

This latest version of Sober was detected on [insert date]. It downloads itself to computers previously infected by Sober.y, and then sends itself to email addresses harvested from the victim machine. It spreads as an [attachment] to infected messages. The attachment contains [the body of the worm] which is approximately [X KB] in size.

[Details of infected messages - languages, message header, message body etc.]

The worm is activated when the user clicks on the attachment. The worm causes a fake error message to be displayed ('CRC not complete') and then copies itself to the system directory, naming the copies as if they are system services. It also creates copies of itself in other files, and registers these files in the system registry. It creates a system registry entry ensuring that the worm will be launched each time Windows is rebooted on the victim machine.

Sober then scans the victim machine's address books and other files, and sends itself to email addresses which it harvests from these files.

An urgent antivirus database update containing detection for Sober has already been released. More details about the worm can be found in the Kaspersky Virus Encyclopaedia. [add appropriate link]