Sober.d, also dubbed Roca.a by some security firms, arrives in an E-mail message with a subject that reads "Microsoft Alert: Please Read!" The worm also comes in a German flavor, with a matching headline of "Microsoft Alarm: Bitte Lesen!"
The message's text goes on to urge the recipient to open the attached file, which can arrive either as an executable or within a password-protected Zip archive. The attachment, claims the message, will protect the user's computer from a new variant of the MyDoom worm, and has other text that tries to pass itself off as coming from Microsoft, which never E-mails security updates.
If the recipient launches the attachment, the worm scans the PC to see if it's already infected. If not, Sober.d displays a dialog box titled "Windows Update --MS-Q4232361791-" with the message: "The patch has been successfully installed."
If the computer has been infected, the dialog's message changes to: "This patch does not need to be installed on this system," giving users an even greater false sense of security, said Ken Dunham, the director of malicious code research at iDefense, in an E-mail to TechWeb.
Sober.d isn't the first worm to pose as a security update from Microsoft. Last year's Swen outbreak, for instance, successfully used this trick to infect thousands of computers.
Anti-virus vendors reacted by updating their virus definitions to take the new Sober into account, and by bumping up alert levels. Network Associates, for instance, tagged Sober.d as a "medium" threat, while rival Symantec labeled it as a "2" in its 1-through-5 scale.