Sober variants continue to spread

Latest variant appears to drop a Trojan onto the PC to allow remote control

A previously undocumented mutant of the virulent Sober worm is spreading rapidly via email, security experts warned today.

German police warned last week of a fresh rash of Sober variants, and a previously undetected version was sent out last night, called 'Sober Y' by Kaspersky and F-Secure and 'Sober U' by Sophos. 

The emails, written in German or English, pretend to be from the FBI and warn that the user has visited a number of 'illegal' websites.

The message reads: "Dear Sir/Madam, we have logged your IP-address at more than thirty illegal web sites. Important: Please answer our list of questions. The list of questions are attached."

Once activated the malware copies itself onto the computer's directory and deletes all other variants of the Sober worm before flashing up a window announcing that no viruses were found on the PC. This is an attempt to fool the user into believing that antivirus software has cleared the code.

Although the virus is still under analysis it appears to drop a Trojan onto the PC to allow remote control, and checks regularly for new instructions.

Email filtering firm SoftScan said that it first detected the virus at 7pm GMT last night and has since picked up 12,000 emails containing the malware, a higher than usual rate for a Sober attack. 

"This is the latest in a series of outbreaks since the German police warned of them a week ago," said Bo Engelbrechtsen, corporate communications manager at SoftScan.

"Perhaps the virus writers are just showing off and thumbing their nose at the authorities. Currently the numbers are stating to escalate and it maybe that, as users start to switch on their computers, we will see a lot more."