The fact that the worm is programmed to start its attack at a time when most IT shops are already on high alert over the Windows WMF flaw is also fortuitous, said Mike Murray, director of vulnerability and exposure research at nCircle Network Security Inc., in San Francisco.

'If nothing else, everyone is already on high alert because of the WMF stuff,' Murray said. 'The shields are up, and everybody's gotten wiser about opening up e-mail attachments. That said, Sober is always a threat.'

In addition to deploying tools to detect and remove previous strains of the worm, companies also need to monitor attempted connections to Web sites that the worm is programmed to seek out and run malicious files from, Microsoft warned in its advisory.

The targeted Web sites are people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de, the company said.