Sober worm resurfaces

The Sober worm, which caused a big headache for companies at the end of October, has returned.

The Sober worm, which caused a big headache for companies at the end of October, has returned.

[email protected] is virtually identical to its predecessor and has been rated as low to medium risk. However, the opportunity remains for major e-mail problems if system administrators are unprepared.

The worm, which was released from Germany and affects Windows operating systems, relies on classic user curiosity. While Sober.A pretended to come from an anti-virus company, headings for Sober B include "George W. Bush plans new war" and "Have you been hacked?".

An attachment with a variety of names from "yourlist" to "gwbush-new-wars" and a .com, .cmd, .exe or .pif file extension. If clicked, the attachment will install the worm on the computer. It also installs its own SMTP engine and starts e-mailing itself to every address it can find on the computer.

The first time the worm is installed, a fake error message appears, presumably to convince those who have opened the attachment that no harm has been done and the attachment is simply broken.

It also installs two versions of itself. If one is tackled, the other will reinstall itself. It also makes some changes in the registry so any infected machine will need the attentions of someone confident with carrying out registry tweaks.

Security companies are not overly concerned since the worm can be picked up, isolated and removed relatively easily. If companies already block attachments with the most common virus-carrying suffixes - .pif, .scr - there should be little trouble.

However, if there are holes in the security and the worm finds a way in and around the network, the huge volume of e-mails generated could become a major headache.

Full instructions on what to do with the worm can be found on Symantec's website.

Kieren McCarthy writes for

Read more on IT risk management