Panda Software advices caution in the face of the possible return of Sober

The epidemic caused by the Sober.AH worm last November could undergo a resurgence if, as its code indicates, it activates between January 5 and 6. According to PandaLabs, this malware is programmed to stop sending out spam by that date, and to start connecting to several servers to download and execute files.

It is therefore important that users tighten security measures in order to minimize the impact that this worm could have. “Even though this type of reactivation routine is nothing new, the extent to which Sober.AH spread initially through mass-mailing is cause enough to be wary in this case,” advises Luis Corrons, director of PandaLabs. It is worth remembering that this worm was for several days the threat most frequently detected by the Panda ActiveScan online antivirus solution, and even now, more than one month after the initial attack, it remains in the top five threats detected in computers around the world. TruPreventTM Technologies detected this threat without prior identification, ensuring users were protected from the moment it first appeared.

In order to neutralize the activation routine of this worm, it must be completely removed from infected computers. Sober.AH. spreads in emails written either in English or German and uses social engineering in an attempt to convince recipients that the message is a warning from the authorities concerning access to illegal websites.

In any event, users should bear in mind that the email message containing Sober.AH is highly variable, as the subject field, message text and attachment name are chosen at random from a list of options. More details of these options are available in Panda Software’s Virus Encyclopedia, at

To remove this worm from infected computers, it is important to keep anti-malware solutions up-to-date. For those who do not have a security solution or would like a second opinion, Panda Software offers the Panda ActiveScan free, online scanner (, to ensure systems are free from this and other threats. The PQRemove utility is also available for users to eliminate this specific threat: Any other type of solution, such as changing the system clock so that the worm does not reactivate at the indicated time, is not sufficient, as the routine does not depend on the local system time but on Internet NTP servers.

“Even though users of our TruPreventTM Technologies have always been protected against this threat, our providing these tools is part of a general commitment to security, not just that of our clients, but of all users around the world. It is in our own hands that this potential threat remains simply an anecdote,” concludes Corrons.

About PandaLabs

Since 1990, its mission has been to analyze new threats as rapidly as possible to keep our clients save. Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPreventâ„? Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users (more info at

Don't miss