A blonde, 21-year-old go-go dancer is sending emails with naked photos of herself attached and asking for work as model. Or so you are led to think by the latest mass-mailing Sober worm variant to hit the Web, Sober.I.
But unless you live in a German-speaking country, the email is not nearly so exotic. Sober.I is programmed only to send itself with the go-go dancer message to German-language domains - such as those ending in .de (Germany) or .ch (Switzerland), for example. The virus is also programmed to launch itself at the English-speaking world, but under the subject header of "delivery failure" or "oh god" in the hope that a user somehow opens an attached .zip file, which unleashes the virus.
"The German version is really interesting," said Graham Cluley, senior technical consultant for Sophos. "They claim to come from a German 21-year-old go-go dancer with blonde hair. She is seeking employment as a model and she says she has attached some naked photos of herself. But of course the photos are the worm."
"In the English version they don’t seem to be using sex at all," he added. "Maybe [the virus writer] thinks that the English aren't as interested in sex as our German cousins. Perhaps he is making a national judgement about the countries."
Antivirus firm F-Secure has given the virus a level 2 rating, the company's second highest rating for viruses. Many other companies, such as Panda Software and Trend Micro, have also reported that the virus is spreading rapidly, particularly through Germany.
The virus is a self-perpetuating program that sends itself to contacts stored in Microsoft Outlook. If executed, Sober.I copies itself to the registry to ensure it runs when the computer starts, and then begins to replicate itself. If the domain in an email address belongs to Switzerland (.ch), Germany (.de), Austria (.at) or Liechtenstein (.li), the worm executes the German version of itself from the 'blonde dancer'. If the domain is any other than those mentioned above the email is sent in English.
"It may have been written by a German," Cluley said. We've been given quite a number of reports across Europe. But that was true of earlier versions of it too."
Cluley added that people needed to keep their antivirus software updated as the best defence against the virus. He added that in most cases, companies should block executable code at the email gateway.