Sober variants are well known for complex replication patterns and payloads. They have also been using spoofed e-mail addreses in the “From:” field, pretending to come from the FBI; reason enough for many unsuspecting users to fall victim to the worm. Sober.K, discovered on February 21 2005, was the first to pretend that.
Sober.y, which is currently the most popular variant, started spreading actively on Monday, November 21. Although it was released last week, it didn’t really pick up speed unless Monday, thanks to the help from a couple of other variants in the family, one of the complex replication patterns mentioned above.
Interesting enough, while we have plenty of reports from our mailpots distributed around the world, very few of them originate in Russia. This happened in the past, most of the time with the peak of reports originating in Germany. Overall, Sober.y is still behind Mytob.bi in absolute number of samples for the past 24 hours, but its rate of increase is higher, meaning it will probably become number one in the next day or so.
The outbreak is major, but according to our statistics, it’s no match for say, Sober.a back in 2003. One of the reasons for this is that generic protection, as well as the speed of reaction of antivirus companies has improved a lot since then, too.