New variant of Sober worm infecting PCs worldwide

Computerworld - A new incarnation of the W32/Sober computer worm is spreading in large numbers across the Internet since yesterday, infecting home and business PCs around the globe.
Infections from the latest W32/Sober worm, which was given different names by various antivirus software vendors, began about noon Eastern time yesterday and have been bombarding machines with e-mails generated internally by the worm, according to alerts from vendors.
Richard Wang, manager of the Lynnfield, Mass.-based virus lab of Sophos PLC, said the W32/Sober-N worm accounts for about 70% of all the virus reports the company has received since yesterday. The worm is sent to a recipient in an e-mail and is only activated if the recipient clicks on the enclosed file attachment. The file payload then searches for all e-mail addresses on the infected computer and sends a copy of itself to each address. The e-mails are sent out until the worm is eradicated, Wang said.
In English-speaking countries, the fake e-mail notifies the recipient that someone has obtained his account and password information for an unnamed account and tells the user to click on the attached file to find out what information has allegedly been stolen. In German-speaking countries, the fake e-mail tells the recipient that he won tickets to the upcoming 2006 Soccer World Cup events. The attached files are named mail_info.zip, account_info.zip or our_secret.zip and sometimes also include the word "error" in the file name.
"It's pretty normal in terms of what worms do," Wang said. "What's unusual about it is the sheer volume it has at the moment."
Wang said he had no statistics on the number of infections the worm has caused so far, nor on how many e-mail messages are carrying the worm.
Sophos and other major antivirus vendors have already updated their antivirus software to prevent the worm from getting into a PC and have created tools to remove it once a machine is infected, Wang said. "You do need to get rid of it once you get it; otherwise it will just slow you down," he said.
Moscow-based antivirus vendor Kaspersky Lab has issued a similar alert about what it called the Win32.Sober.p worm, which it said is hitting hard in Western Europe.
In an e-mail alert, the lab said the new Sober.p worm was first detected yesterday and has "broken records in terms of the number of infected messages sent out and speed of propagation throughout Western European segments of the Internet."
Sober.p also spreads as a .zip attachment in an e-mail, according to