The first variants were detected after midnight on Thursday and ESET's ThreatSense(TM) technology immediately stopped a new variant of the Sober family of worms, once again underlining the need for proactive protection. ESET's NOD32, a unique anti-threat solution, uses advanced technology, which employs heuristic analysis to detect malicious threats in real-time.
   
   Win32/Sober.R, a part of the Sober family, has a highly-encrypted piece of code that attempts to terminate security software cleaner tools, such as McAfee's Stinger. The worm tries to remove old versions of the Sober virus and in scanning for specified files, can cause the machine to slow down significantly. Sober.R arrives as a .zip file attached to emails written in English or German. The worm can detect regional domain names, which determines the language of the message. Using its own SMTP engine, Win32/Sober.R sends mass-emailed copies of itself to additional email addresses. The message sender is spoofed and the message body may be 'signed' by the names Rita, Sandra, Nicole, Hannelore, Kerstin or Elke.
   
   "The author of the Sober worms is very aware of the AV industry, as this variant appeared during the Virus Bulletin conference in Dublin," said Andrew Lee, chief technology officer of ESET. "It may be that the author is trying to maximize the amount of time before detection by releasing at a time when a significant portion of the antivirus industry is tied up at a conference. However, ESET customers were protected from the Win32/Sober.R worm in real-time due to our powerful, ThreatSense heuristics." 
    
 ESET is providing a free remover for the Win32/Sober.R worm, which can be downloaded at www.eset.com.