Infections of W32/Sober.A@mm increase steadily
W32/Sober.A@mm is a bilingual mass mailing worm the infection rate of which has been increasing steadily in the past few days and weeks. Sober.A spreads between Windows systems via e-mail. These e-mails pose as security warnings against a possible new mass mailing worm and carry attachments that are said to be patches against this threat. The attachments, however, are infected with W32/Sober.A@mm.
Once this attachment has been executed Sober.A infects the computer and harvests more e-mail addresses from the infected computer's hard drive. The worm subsequently sends itself to these addresses using its own SMTP engine.
W32/Sober.A arrives in e-mails with subject lines and content either in English or in German. If the Internet domain of the recipient is .de, .at, .ch, or .li, then the message is created in German, otherwise in English.
The e-mail's subject line is then randomly chosen from one of the following:
Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr geh
Viurs blockiert jeden PC (Vorsicht!)
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Ich Liebe Dich
Congratulations!! Your Sobig Worms are very good!!!
Back At The Funny Farm
You are a very good programmer!
Odin alias Anon
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Sorry, I've become your mail
Hey man, long not see you
Viurs blocked every PC (Take care!)
I've become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
I love you (I'm not a virus!)
I permanently get Spam-Mails from you and inside is a virus!!
You should remove these thing.
Attachment names are randomly generated from the following list:
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
For more information on this worm and disinfection please visit our virus information section.
The latest versions of F-Prot Antivirus detects W32/Sober.A@mm using virus signature files dated 28 October 2003 or later.