Systems already infected by the last version of the worm may download and run malicious files from certain Web domains starting at midnight tomorrow night.
'Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains,' a Microsoft advisory released Tuesday said.
The Sober worm and its variants -- believed to have been initially authored by German hackers -- are now among the most prolific pieces of malware to date and are believed to be responsible for infecting tens of millions of computers worldwide. The worm does not target any specific vulnerability. Rather it requires users to open a malicious file attachment in e-mails or to click on links that contain malicious attachments.
The last version of the worm appeared on Nov. 22, 2005, the inauguration day for Germany's first female chancellor. The latest Jan 5. trigger coincides with the 80th anniversary of the launch of the Nazi party and also coincides with a major German political convention on Friday.
It's not clear yet what damage the latest version could do, said Todd Brennan, chief technology officer at Bit9 Inc., a Cambridge, Mass.-based vendor of endpoint security products. Because the worm and its variants have been around for a while, many systems are likely to have been patched or otherwise protected against the threat, he said.
The fact that the worm is programmed to start its attack at a time when most IT shops are already on high alert over the Windows WMF flaw is also fortuitous, said Mike Murray, director of vulnerability and exposure research at nCircle Network Security Inc., in San Francisco.
'If nothing else, everyone is already on high alert because of the WMF stuff,' Murray said. 'The shields are up, and everybody's gotten wiser about opening up e-mail attachments. That said, Sober is always a threat.'
In addition to deploying tools to detect and remove previous strains of the worm, companies also need to monitor attempted connections to Web sites that the worm is programmed to seek out and run malicious files from, Microsoft warned in its advisory.
The targeted Web sites are people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de, the company said.