New Sober Worm Poses As Good Samaritan

The worm, which spread quickly in the United Kingdom early Tuesday morning -- one security firm was reporting nearly 88,000 copies had hit U.K. businesses by 11 a.m. local time. Another listed it as the fifth-most common worm of the last 24 hours, beaten only by the even more pernicious Netsky and Zafi.

Like earlier Sober variants, this one -- dubbed Sober.m by some anti-virus vendors, Sober.n by others -- can appear in English or German, spreads by hijacking addresses from infected PCs, and bundles its payload in a compressed .zip file.

"Someone is sending your private e-mails on my address," Sober reads. "It's probably an e-mail provider error! I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you and zipped then."

"The virus plays on people's desire to be a good net citizen," said Graham Cluley, a senior technology analyst with Sophos in a statement. "Anyone who receives a message like this may feel duty bound to open the attachment and investigate how their computer has been sending erroneous e-mail. But such good intentions could result in a nasty infection."

Sober.m/n also tries to disable Microsoft's AntiSpyware application, and its Malicious Software Removal Tool, which is an integral part of each month's security update from the Redmond, Wash.-based developer, and targets Sober among the malware it seeks out and destroys.

Most anti-virus firms listed the newest Sober as a medium, or lower, threat.