Sober variants are rare, but when they strike, well, let’s just say that they strike with such a force that everyone notices.

Trend Micro declared a medium risk alert to contain the spread of the resilient worm Sober, with the variant name WORM_SOBER.AG. Symantec upgraded its risk rating for its corresponding detection, W32.Sober.X@mm.

Using very sophisticated social engineering, Sober has proven its resiliency. This time around, it may masquerade as an attachment to an email that purportedly comes from the CIA, FBI, and for its German version, the BKA (the German equivalent for CIA). Who wouldn’t open the attachment if you read a message from a CIA agent that asks you to answer the enclosed questionnaire?

Sober worms have no damaging payload except for its mass-mailing routine. It doesn’t terminate processes, open backdoors, steal information, yet it is one of the active ones. Mytobs have sophisticated propagation methods (mass mailing and network sharing) and destructive payloads, but they don’t get much attention as compared to what Sober gets. Sure, Mytobs spread well, and there are new variants everyday. Sober prefers to stay low and hit hard. The creator of Sober is very good at crafting emails that will sure get the attention of users; hence its notoriety.

So, as always, if unsure about an email, delete it, or do not open its attachment at the very least.