A Sober Primer: The worm from A to Z

Computerworld - With the latest variant of the Sober worm set to launch new attacks at midnight tonight (see "Sober worm set to launch another attack"), here's an A-to-Z guide to identifying Sober's many iterations.
We've chosen to use F-Secure's naming system as our organizing tool.

Sober.A (Sober)
Arrives as an e-mail attachment with .bat, .com, .exe, .pif or .scr extension and contains executable; may pose as antivirus patch or security warning.
Aliases: Win32.Sober.A (Computer Associates), Win32/SoberA (Eset), W32/Sober.A@mm (Frisk), I-Worm.Sober (Kapersky), W32/Sober@MM (McAfee), W32/Sober.A (Norman), W32/Sober-A (Sophos), W32.Sober@mm (Symantec), WORM_SOBER.A (Trend Micro).
First identified: 10/03

Sober.B
May include anti-Bush or 'You got hacked' subject line; can spread via peer-to-peer nets.
Aliases: W32/Sober.B@mm (McAfee), W32/Sober-B (Sophos).
First identified: 12/03

Sober.C
May claim to be from "the police;" can spread via peer-to-peer.
Aliases: W32/Sober.c@MM (McAfee), W32/Sober-C (Sophos), W32.Sober.C@mm (Symantec).
First identified: 12/03

Sober.D
Claims to be Microsoft-issued MyDoom removal tool (ZIP file).
Aliases: W32/Sober.d@MM (McAfee), W32/Sober.D@mm (Norman), Roca-A (Secunia), W32/Roca-A (Sophos), W32.Sober.D@mm (Symantec), WORM_SOBER.D (Trend Micro).
First identified: 3/04

Sober.E
Replaces "From" line to disguise email origin; opens MS Paint or Paintbrush to disguise its actions when starting on a clean system; very limited propagation.
Aliases: W32/Sober.e@MM (McAfee), W32/Sober-E (Sophos), W32.Sober.E@mm (Symantec), WORM_SOBER.E (Trend Micro).
First identified: 3/04

Sober.F
Opens Notepad to disguise activity; low propagation.
Aliases: W32/Sober.f@MM (McAfee), W32/Sober.F@mm (Norman), W32/Sober-F (Sophos), W32.Sober.F@mm (Symantec), WORM_SOBER.F (Trend Micro).
First identified: 4/04

Sober.G
Includes "NoSpam.readme" file with message from author of worm to antivirus researchers noting that he is male, 30+ and neither a hacker nor a spammer.
Aliases: Win32.Sober.G (Computer Associates), W32/Sober.g@MM (McAfee), W32.Sober.D@mm (Symantec), WORM_SOBER.G (Trend Micro).
First identified: 5/04

Sober.H
A Trojan, not a worm; mass-mails right-wing political statements to machines previously infected with another Sober variant; not widespread.
Aliases: Troj/Sober-H (Sophos), Trojan.Ascetic.A (Symantec).
First identified: 6/04

Sober.I
Gathers e-mail addresses; displays fake WinZip error dialog; set to self-deactivate on Jan. 5, 2005; some versions of e-mail claimed to include nude photos.
Aliases: Win32.Sober.I (Computer Associates), W32/Sober.j@MM (McAfee), Sober.I (Panda), W32/Sober-I (Sophos), W32.Sober.I@mm (Symantec), WORM_SOBER.I (Trend Micro).
First identified: 11/04

Sober.J
Opens Write to disguise actions; also, McAfee's name for Sober.I variant.
Aliases: Win32.Sober.J (Computer Associates), W32/Sober.k@MM (McAfee), W32/Sober-J (Sophos), W32.Sober.J@mm (Symantec), WORM_SOBER.J (Trend Micro).
First identified: 1/05

Sober.K
Opens Write to disguise actions; adds garbage character at end of its file after each installation; may claim to come from FBI; may claim to include Paris Hilton photos.
Aliases: Win32.Sober.K (Computer Associates), W32/Sober.I@MM (McAfee), Sober.M (Panda), Sober-K (Sophos), W32.Sober.K@mm (Symantec), WORM_SOBER.K (Trend Micro).
First identified: 2/05

Sober.L
Similar to K variant,