Sober alert over Paris Hilton 'attachment'

A new variant of the Sober worm made the network rounds on Tuesday, attempting to entice people into clicking on attachments purporting to be threats from the FBI or videos clips of Paris Hilton and her reality TV co-star Nicole Richie.

Antivirus companies said the worm gained some traction over the weekend and on Monday. It's a minor modification of the "Sober" virus that has flared up several times over the past year. But this latest variant, graded as a medium-level threat, appeared to be trailing off as security providers have responded.

David Perry, the global director of education at antivirus company Trend Micro, said: "This one is virulent and will reproduce itself easily but does not have much of a payload. For the time being, this particular strain is probably done."

Some antivirus companies said the worm was still spreading fast, however. In a blog posting, security company F-Secure said internet companies have seen "several millions of infected emails" over the course of hours.

F-Secure chief research officer Mikko Hypponen wrote: "The numbers we're now seeing... are just huge. This is the largest email worm outbreak of the year, so far."

One version of the email carrying the worm appears to be a letter from the FBI saying the agency has found evidence the computer user has been visiting illegal websites. It asks the recipient to click on the attachment to answer questions.

The FBI released a warning on Tuesday saying it never sends unsolicited emails.

The agency said in its statement: "The FBI takes this matter seriously and is investigating. Users are instructed to delete the email without opening it."

Another version of the email used a message purporting to be from the Central Intelligence Agency. A third, a German-language variant, contained a threatening message from a German law enforcement agency.

A separate version purports to offer a download manager for "video clips, pictures and more" of Hilton and Richie. All operate the same way, once the attachment is activated, however.

If activated, the worm drops several files onto a computer and searches for email addresses stored in address books or elsewhere in memory and sends copies of itself to those destinations. If it finds Microsoft's anti-spyware and antivirus software running, it turns the protections off.

Several other variants of a different virus, dubbed "Mytob", are also making the rounds. The emails carrying them purport to be a message from an email service provider or from support staff providing notification about a changed password or suspended account.

Antivirus companies rate the danger of this worm as "low" but, as always, advise against clicking on unknown attachments to emails.

John Borland writes for CNET News.com