The Sober worm which caused a big headache for some firms at the end of October returned yesterday.
W32.Sober.B@mm is virtually identical to its predecessor and has been rated at a low to medium risk. However the opportunity remains for major email problems if sysadmins aren't prepared.
The worm, released from Germany and only affecting Windows OSes, relies on classic user stupidity. While Sober.A pretended to come from an anti-virus company, this one's header concerns either George Bush or hacking: "George W. Bush plans new war"; "Have you been hacked?" and similar.
An attachment with a variety of names from "yourlist" to "gwbush-new-wars" and a .com, .cmd, .exe or .pif file extension, if clicked, will install the worm on the computer. It also installs its own SMTP engine and starts emailing itself to every email address it can find on the computer.
The first time the worm is installed, a fake error message appears, presumably to convince those daft enough to have opened the attachment that no harm has been done and the attachment is simply knackered.
It also installs two versions of itself. If one is tackled, the other will reinstall itself. It also makes some changes in the registry so any infected machine will need the attentions of someone confident with regedit.
Security companies are not overly concerned since the worm can be picked up, isolated and removed relatively easily. If companies already block attachments with the most common virus-carrying suffixes -- .pif, .scr -- there should be little trouble. However if there are holes in the security and the worm finds a way in and around the network, the huge volume of emails generated could become a major headache.
Since the worm is most likely to be spread by someone daft enough to open the attachment, an email to all staff warning of the new virus would be a good idea. The main anti-virus vendors have prepared a definition for Sober.B so download it. Apart from that, if you do get the worm, you can get full instructions on what to do at Symantec Corp.'s site.