Sober.F arrives in an e-mail sent by the worms own SMTP engine. According to F-Secures description of the worm, the incoming message can have any of a large number of subject lines and message bodies, some in German and some in English.
The message also contains an executable file attachment, which, according to Symantecs analysis, contains any of a list of names with an .EXE extension and is 42,496 bytes large. When a user launches the attachment it sets itself to run automatically when Windows starts, then searches files on the hard disk to use as senders and recipients in the messages sent as it attempts to spread itself.
Symantec has raised Sober.F from a Level 2 to Level 3 threat severity, labeling it "either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild." Symantec has also increased its overall "ThreatCon" level from 1 to 2 out of concern that Sober.F is developing into a major outbreak. F-Secure classified the threat from Sober.F as "moderate."
Interestingly, F-Secure says that the worm checks the hard disk constantly for a file named ZHCARXXI.VVX. If it finds this file, it immediately unloads itself from memory. If the file is present during installation, the worm does not copy itself to the hard disk.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: