New Sober virus circulating

Security analysts find large number of infected e-mails.

Greg Sandoval Former Staff writer

Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.

See full bio

Greg Sandoval

Nov. 22, 2005 9:58 a.m. PT

There are at least three new variants of the Sober worm spreading across the Internet via e-mail messages. The viruses are activated once a user clicks on an infected attachment.

The new variants of Sober, a worm that first appeared in 2003, are capable of disabling antivirus programs, according to Finland-based company F-Secure.

Antivirus company Kaspersky Lab said on its Web site that large numbers of infected e-mails have been intercepted. This confirms, according to the company, that the epidemic was caused by spamming. Kaspersky identified the variants as Sober.U, Sober.V, and Sober.W.

Internet security officials in Germany warned Monday of a possible Sober attack. In recent months, Sober has been used in that country to "="" data-asset-type="article" data-uuid="1cf8a48e-fee0-11e4-bddd-d4ae52e62bcc" data-slug="sober-worm-offshoot-lurks-behind-class-photo" data-link-text="old class photo"> sent by a schoolmate.

Sober can hijack a Windows-based computer and force it to send spam e-mails. The continuous e-mailing can lead to overloaded servers and reduced network performance.

Security firms cautioned computer users to be careful when opening attachments. Infected messages may have a random subject line or none at all, Kaspersky said.

But the attachments can be recognized by their names: Exceltab-packed_List.exe, Liste.zip and Reg-List-Dat_Packer2.exe., reg_text.zip Word-Text.zip, Word-Text_packedList.exe and Word-Text_packedList.zip.

The virus creators appeared to taunt security experts with a message left in the code which reads: "Use your debuggers, it's fun."