PandaLabs has detected the
appearance of Sober.AH, a new variant of the well-known family of Sober email
worms, which has already started to cause numerous incidents in computers
around the world. In fact, it is already one of the viruses most frequently
detected by the Panda ActiveScan online antivirus solution.

One of the reasons for its success is that this new variant uses social
engineering techniques, tricking users into running files that contain the
system code. Among other possibilities, Sober.AH can reach computers as an
attachment to an email message purporting to be a warning from the FBI,
advising users that they have accessed illegal Internet addresses. The worm
can send itself in email messages in either English or German depending on the
intended recipient’s address.

In any event, users should bear in mind that the email message containing
Sober.AH is highly variable, as the subject field, message text and attachment
name are chosen at random from a list of options. More details of these
options are available in Panda Software’s Virus Encyclopedia, at

If a user runs the file containing Sober.AH, a window is displayed with a
false error message. However, while this is happening, the worm sends itself
to all email addresses it finds in numerous system files. It checks the
domains of the addresses by connecting to different public DNS servers and
checks the time and date by connecting to different NTP servers.

In addition, the worm terminates processes running on the system belonging
to certain applications, including some security solutions. Every time it
terminates a process, it displays a dialogue box saying that no viruses,
Trojans or spyware were found. The aim is to leave the computer unprotected
against future attacks.

According to Luis Corrons, director of PandaLabs: “After many failed
attempts, the creators of the Sober worms are finally achieving their
objective the easy way: using social engineering. It is an unfortunate fact
that whenever a malicious code uses some kind of message that could interest
users, it manages to spread to numerous computers. The use of proactive
technologies that can determine if an email message contains unknown malicious
code prevents users from having to decide whether or not to open such
potentially dangerous mail.”

TruPrevent proactive detection technologies detect and block Sober.AH,
with no need for prior identification or updates. For this reason, computers
with these installed have been protected from the moment the threat first

Panda Software clients that don’t yet have TruPrevent Technologies
have the updates available to install them along with their antivirus and
ensure they have prevented protection against unknown viruses and intruders.
For users with a different antivirus program installed, Panda TruPrevent
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive protection
that acts while the antivirus is updated, decreasing the risk of infection.

More information about TruPrevent Technologies at
To help as many users as possible scan and disinfect their systems, Panda
Software offers its free, online anti-malware solution, Panda ActiveScan,
which now also detects spyware, at Webmasters who
would like to include ActiveScan on their websites can get the HTML code, free

Panda Software also offers users Virus Alerts, an e-bulletin in English
and Spanish that gives immediate warning of the emergence of potentially
dangerous malicious code. To receive Virus Alerts just visit Panda Software’s
website ( and complete the
corresponding form.