'Sober is still out there. It's a sleeper threat,' he said. 'The fact that it can be remotely executed makes it scary."

The worm also contains an algorithm that every few days generates new URL addresses from which it then attempts to download malicious code, Telafici said. As a result, the worm could start spreading again in future.

The Sober worm and its variants are believed to have been authored by German hackers and have emerged as one of most prolific pieces of malware ever. The worm does not target any specific vulnerability. Rather, it requires users to open a malicious file attachment in e-mails or to click on links that contain malicious attachments.

The last version of the worm appeared on Nov. 22, Inauguration Day for Germany's first female chancellor. It was programmed to be reactivated at midnight GMT on Jan 5, when it was supposed to download and run malicious files from certain Web domains. Like other variants, the latest Sober version comes with its own SMTP engine to spread itself. But the code has been tweaked to send out copies much faster than earlier versions.

Even though the latest version appears to be doing little damage to corporate networks at the moment, there is still an enormous amount of e-mail traffic that is being generated by it, said Andrew Lochart, senior director of marketing at Postini Inc., a San Carlos, Calif.-based provider of e-mail management services.