Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A new version of the Sober worm appeared on the Internet early Friday morning and already it is having quite a bit of success infecting users in Europe through the use of social engineering.

Sober.J arrives in an e-mail message that appears to be a returned-mail error message, telling the user that an e-mail sent earlier has bounced. The message typically contains a .zip, .bat, .com, .scr or .pif attachment and a body text that is some variation on the following:

This mail was generated automatically.More info about –YAHOO– under:——-
Giving_up_on_178.218.194.86.# 533:
The original mail is
attached.Auto_Mail.System: [yahoo]

The subject line of the e-mail message varies, but often indicates that the message is a warning about a bounced e-mail, such as:


Faulty_mail delivery

Mail_delivery failed

When the recipient opens the attachment, the worm displays a fake error message saying that a portion of the WinZip software is missing. The worm then copies itself to the Windows System folder in two separate locations, using filenames that it constructs dynamically from a small set of common strings, including sys, spool, crypt, host, dir, service, win, run, 32, data, and a few others, according to an analysis by McAfee Inc., based in Santa Clara, Calif. The filename always ends in “exe.”

Sober.J then creates several registry keys to ensure it will be run on startup and searches for e-mail addresses on the infected machine. It then begins mailing itself to all of the addresses it finds.

Check out’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer’s Weblog.