A new version of the Sober worm wriggled out of its hole early on Monday and set about quickly attacking computers in Europe and the US perhaps piggy-backing off the news that US glitterati Paris Hilton's cellphone has been hacked.
The worm is a mass-mailer, meaning it spreads itself via email using contacts listed in the address books of computers it infects.
The first instance of the worm, called W32.Sober-K-mm, was intercepted by UK security company MessageLabs. The company detected 663 instances of the worm in the first hour, and the figure climbed quickly to more than 2,200 per hour, prompting MessageLabs to give it a high-risk rating, says Maksym Schipka, a senior antivirus researcher with the company.
"Compared to other Sober worms it looks to me like this one is spreading itself more aggressively," he says.
W32.Sober-K-mm spreads itself as an email attachment and creates random subject lines and body texts in either English or German, depending on the email addresses it gathers. Subject lines observed so far include "Alert! New Sober worm," "Paris Hilton Sex Videos," "You visit illegal websites" and "Your new Password," according to MessageLabs.
Hotel heiress Paris Hilton's T-Mobile cellphone address book and a number of photographs taken with her phone, mainly of a personal nature, were posted to a website and have since been picked up by numerous blogs and sites around the globe, leading to concern that emails containing Hilton's name may well be opened by even the canniest of users.
The latest variant of Sober appears to have originated in Germany, and has also been detected in France, the UK and the US. It may have been created by the same hacker that wrote the first version of the Sober worm, which appeared in October 2003 and also originated in Germany, Schipka says.
"I'm not aware that the source code for this worm was made public. It is written in Visual Basic which makes it more difficult to reverse engineer the virus than if it were written in C++ or Assembler. So it would be logical to assume it is the same virus writer," he says.
The worm can also generate fake messages that try to fool the recipient into opening the attached .zip file. Some emails purport to be from an antivirus company offering a security patch against a new version of the Sober worm when in fact they contain they worm. Others pretend to be from the US Federal Bureau of Investigation and include an attachment labelled "indictment," Schipa says.
When a user opens the attachment the worm creates several executable files with the names csrss.exe, winlogon.exe and smss.exe. It then modifies the registry key Software\Microsoft\Windows\CurrentVersion\Run so that the files execute on startup.
The worm also displays the contents of part of the infected machine's file system in a notepad document. Schipka said it is not clear yet why this document appears and that it may be a bug in the worm. "Sober is known as being relatively buggy," he says.
The notepad file may be a sign that the virus writer is experimenting with new techniques, one observer speculated.
Such worms can make the computers they infect sluggish to operate and also clog email servers and networks. Users are advised to update their antivirus software to keep the definition files current.