Sober.D, discovered on Monday, is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to e-mail addresses found on infected systems. But the latest version displays fake Microsoft warnings and error messages.
"It arrives in an e-mail that pretends to be a patch to protect against a version of MyDoom," said Graham Cluley, a senior technology consultant at antivirus company Sophos. "The e-mail appears to be a Microsoft patch, so people will of course double-click on that attachment."
According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an e-mail. Once a person clicks on the file, the worm scans the PC to see if it has already been infected.
If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."
Sober.D also changes its language depending on where it is being sent. If the recipient's e-mail address has a "de," "ch," "at," "li," "nl" or "be" extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen." Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been bilingual, Cluley said.
This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe, or Trojan.Xombe, worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.
Microsoft has always maintained that it does not e-mail patches to people, so they should ignore any such messages.