Antivirus vendors reported the discovery of a new Sober variant Friday. Dubbed Sober.I or Sobber.J, the new worm variant was first detected in Western Europe and is rapidly spreading as users fail to heed warnings about opening unexpected e-mail attachments. Secunia rated this latest Sober variant a ‘Medium Risk’, F-Secure rated it a 2 out of 3, Symantec rated it a 3 out of 5, and other antivirus vendors have give it similar severity ratings.

Sober is a mass-mailing worm with its own SMTP engine. The worm spreads via e-mail messages with a subject line in either German or English. This latest variant’s English subject line contains either ‘Oh God’ or ‘Delivery_failure_notice’. The German version’s subject line promises nude images of a 21-year-old dancer. Attached to the e-mail is a file with a .bat, .com, .pif, .scr, or .zip extension. The attachment may also have a double extension.

When the user clicks the attachment, the worm runs a fake WinZip error message. The worm copies itself to the system folder using a constructed file name and also generates several other copies under a variety of file names but all with the EXE extension. Sober also creates the Media.dll file and stores any e-mail addresses it can harvest from the infected system in that .dll file, then tries to mail itself to all those addresses. Sober affects all Windows versions except 3.x, but does not attack Macintosh or UNIX/Linux systems.

Sober.I/Sober.J removal instructions and additional information:
Sober – Virus Threat Center
Win32.Sober.I – Computer Associates
Sober.I – F-Secure
Sober.i – Kasperksy
W32/Sober.j@MM – McAfree
Sober.I – Panda
W32/Sober-I – Sophos
W32.Sober.I@mm – Symantec
WORM_SOBER.I – Trend Micro