Another variant of the bilingual Sober family of mass-mailers has been spreading quickly
W32/Sober.F@mm started spreading on Sunday 4 April 2004 and was quickly detected by FRISK Software virus analysts. This new variant of the Sober family of mass-mailers has proven unusually deft at finding e-mail addresses on computers it infects. Since Europe woke up this morning and started getting online at around 9:00 GMT Sober.F has shot to the top of the list of viruses caught by the F-Prot AVES e-mail security filters.
Like previous Sober family variants, W32/Sober.F@mm is a bilingual worm that spreads in attachments to e-mails arriving in either German or English, the language of the e-mail being determined by the recipient e-mail address's suffix. Both the subject line and the body of these e-mails vary, some appearing as simple error messages.
When the worm's executable is run it copies itself to the Windows System folder and creates startup keys in the System Registry so the worm will automatically run on reboot. The worm harvests e-mail addresses from the infected computer's hard drive and subsequently spreads further by sending itself to these addresses using its own SMTP engine.
Note that e-mails carrying this variant sometimes arrive with a message at the bottom claiming that the message has been checked for viruses. In some cases these false messages are wrongfully attributed to F-Prot Antivirus or other permutations of FRISK Software trademarks such as "FRISK Anti Virus" or "F-Prot Anti Virus". These are attempts to lull users into mistakenly believing the attachment to be safe and have absolutely no genuine connection to FRISK Software. F-Prot Antivirus products do not insert text of this sort into e-mails.
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
The latest versions of F-Prot Antivirus detect W32/Sober.F@mm using virus signature files dated 4 April 2003 or later.