Persistent Sober Worm Gains Strength With Age

According to Redwood City, Calif.-based Postini, over the past four days more messages infected with the Sober.p worm have reached its gateways than legitimate e-mail.

During the four-day stretch, 14 percent of the messages Postini's processed have been Soberized, while just 13 percent of all mail is non-spam, non-virus.

"We've detected exceptionally high Sober worm traffic in the past 72 hours," said a Postini spokesperson in an e-mail. "Viruses usually represent 2 percent of the total e-mail traffic filtered by Postini, but Sober alone jumped to 14 percent."

As recently as last week, security companies were tracking Sober at approximately 5 percent of all mail, or 1 out of every 20 messages.

Sober.p -- also called Sober.s, Sober.o, and even Sober.v by various anti-virus vendors, who have yet to settle on a common name for the worm -- broke out Monday, May 2. Although most security experts predicted it would quickly peak and die as had other Sober variants, by the end of the week it was clear that the worm had reached a critical mass and would continue to spread.

Postini reported encountering more than 12 million Sober instances on Sunday, May 8, more than twice as many instances of a virus than Postini had ever recorded in a 24 hour period.

By Postini's online stats site, in the last 24 hours, 12.1 million Soberized messages had been received, more than 45 times the next-most-serious worm, Mytob.

Most of the Sober-infected messages, said Postini, have been intercepted in the U.S., central Europe, India, Japan, South Korea, and Australia.