Sober.p worm causes European epidemic

The newly detected Sober.p mutant of the Win32.Sober worm has spread rapidly causing an "epidemic in western Europe", according to IT security experts.

Virus analysts at Kaspersky Lab reported that data from ISPs shows the worm to be the most common malicious program found in email traffic.

"Sober.p has broken records in terms of the number of infected messages sent out and the speed of propagation throughout western European segments of the internet, in The Netherlands, Germany and Hungary among others," Kaspersky Labs warned.

However, the number of messages which the security firm has received about Sober.p from Russian and Asian users has been "minimal".

Sober.p spreads as a .zip attachment in infected messages. The 53KB attachment contains a copy of the worm which unpacks itself. The message subject is chosen at random from a defined list, as is the message itself. Both may be in German.

The worm is activated when the user launches the attachment. It causes a fake error message to be displayed, 'CRC not complete', and then copies itself to the system directory, naming the copies as if they are system services.

Sober.p also creates copies of itself in other files, and adds these files to the system registry.

Once it has copied itself, the worm scans the victim machine for addresses to harvest, searching address books and a range of files including text files, PowerPoint files and databases. Sober.p then sends itself to the addresses collected from the infected machine.

More information about Sober.p can be found here.