Security Watch: Sober Worm Back and Spreading.


Executive Summary
Name: W32/Sober.r@MM!M-151 (McAfee)
Date Discovered: 10/5/2005
Length: 113,551 bytes
Affects: Windows XP/XP SP2/2000/2003/NT/ME/98/95


Sober.r is a classic mass-mailing e-mail worm that spreads itself to addresses harvested from infected PCs, and it may slow down e-mail services during the height of this infection. Sober.r (w32.sober.r@mm) arrives as e-mail in either English or German with a subject and body text referencing password changes. Users of Mac OS, Linux, and Unix are not affected but could become carriers by forwarding the infected e-mail to Windows users. Because Sober.r spreads via e-mail, does not open remote access to your PC, and may not damage system files, this worm rates a 5 on the CNET/ZDNet Virus Meter.
How it works
Sober.r arrives as e-mail with a ZIP file attachment named either KlassenFoto.zip, or pword_change.zip. Buried within the ZIP is an executable file named PW_Klass.Pic.packed.bitmap.exe. Once executed, the Sober.r worm collects e-mail addresses from the infected PC and uses its own SMTP e-mail engine to send copies of itself to those addresses.


More:

http://techrepublic.com.com/5100-1009_11-5890712.html#
and:
http://www.pcmag.com/article2/0,1895,1869230,00.asp


McAfee AVERT Stinger removes this infection.