The McAfee Anti-Virus Emergency Response Team (Avert) has today increased its original low-risk threat assessment of the 'moderately prevalent' Sober.c worm to 'medium risk' status.

Sober.c contains its own SMTP engine and targets email addresses which it harvests from the victims' machines.

Once activated, it emails itself to the user's Microsoft Outlook address book with outgoing messages constructed using its SMTP engine. The messages may be written in either English or German, and the attachment filename can vary.

Users should immediately delete any email containing the following:

Subject:

Attachments may end in any one of the following extensions and be preceded with .txt or .doc, and/or a random number:

After being executed, Sober.c extracts target email addresses from the victim's machine and writes them to the file SAVESYSS.DLL in the SysDir.

Two other copies of the worm are then dropped into SysDir, with varying filenames. For example, 'SysDir\ONDMONSTR.EXE' and 'SysDir\DATMSCRYPT.EXE'.

Avert warned in an advisory: "These two latter files are responsible for monitoring and maintaining that the worm stays resident in memory.

"Upon termination of one worm processes, another copy will restart the terminated process very quickly.

"Two processes run on the victim machine in order to ensure the worm stays memory resident."

More information on the Sober.c worm can be found here.