Yesterday we reported computers infected with Sober.P were updating to Sober.Q, this is possible because the Sober.P worm can connect to websites to download new code and execute it. The original Sober.P worm was quite active on the internet until Tuesday, it tricked users into believing they had won a ticket to the 2006 World Cup in Germany but other variants were also spreading on the web.
But suddenly on Tuesday the worm stopped spreading, security experts were amazed but they soon discovered that the worm was 'upgrading' itself on infected systems to Sober.Q. On Saturday Sober.Q wasn't active yet but today anti-virus firm Kaspersky reports Sober.Q has become active. The worm doesn't spread itself but sends out huge loads of spam messages that link to right winged articles.
I have received quite a few of these Sober.Q e-mails myself. They are either in German or English and they ask the recipient to follow a link to read an article on a website. Up till now computers infected with Sober.Q solely spread these spam messages, they do not spread the worm (yet).
One of the e-mails I received was about the Dresden bombing at the end of the second World War and linked to Spiegel.de. Most linked articles appear to be political and quite right-wing. In a way we're seeing the same story as with Sober.G a year ago. Sober.G downloaded Sober.H and Sober.H in turn sent out enormous amounts of racist spam in June 2004.
Last year the Netherlands were completely flooded by e-mails generated by Sober.H, judging from the numbers that Sober.P generated just before it stopped spreading it probably won't be that much different this time.