McAfee, Inc., the leader in Intrusion Prevention and Risk Management solutions, announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to Medium on the recently discovered W32/Sober.r@MM!M-151, also known as Sober.r. Sober.r is a prolific worm that spreads via email, sending itself to addresses found on the victim’s machine. The worm arrives as a .zip file attached to e-mail and has many of the same functionalities as its Sober predecessors. The worm was first reported to McAfee AVERT researchers this evening PST and to date McAfee AVERT has received more than 50 reports of the virus in the wild from unique senders.

Threat Overview

Sober.r is a mass mailing threat that contains its own SMTP engine to construct outgoing messages, which are written in German or English, depending of the version of Windows. It harvests addresses from local files and then uses the harvested addresses to send itself. This produces a message with a spoofed From address. The attachment comes in the form of a .zip file that contains an executable file inside, named “PW_Klass.Pic.packed-bitmap.exe”. Users would need to manually extract the executable from the .zip file and manually run the attachment in order to be infected.

An example of a randomly generated English message is as follows:

  • Subject: Your new Password
  • Body: Your password was successfully changed! Please see the attached
    file for detailed information.

System Protection and Cure

More information on Sober.r and the cure for this worm can be found online at the McAfee AVERT site located at McAfee AVERT is advising its customers to update to the 4598 DATs to stay protected from this variant of the threat.