Mutant Sober worm spreading fast

A newly discovered variant of the mass-mailing Sober email worm is spreading rapidly and has already been spotted in the UK, according to MessageLabs.

The email security company said that it has intercepted 1,400 copies of W32.Sober-K-mm since 5am GMT this morning in Germany, France, the US and the UK.

Sober-K-mm sends itself as an attachment and creates random subject lines and body texts in either English or German, depending on the email addresses harvested by the worm.

It can also show a fake notice from antivirus vendors warning about a new version of the virus, and attempts to dupe users into clicking on the attachment which contains the worm by claiming that it contains a software patch.

But computer users who activate the file attached in the email invoke the virus, which harvests email addresses from the computer's hard drive.

Subject lines in the email may include 'Alert! New Sober worm', 'Paris Hilton Sex Videos', 'You visit illegal websites' and 'Your new Password'.

Once activated, Sober.K-mm drops several copies of executable files onto an infected computer with 'filenamescsrss.exe', 'winlogon.exe' and 'smss.exe'.

The worm modifies the registry key Software\Microsoft\Windows\CurrentVersion\Run so that it executes on startup. It then displays the contents of the file (systemdrive%/windows/temp/doc_data-text.txt) in notepad.