Since October 2003 variants of the Sober worm have spread to countless systems. One variant (known as WORM_SOBER.AG , W32/Sober-X , W32/Sober-Z , Win32.Sober.W , Sober.Y , Sober.X, W32/[email protected]!M681 , and W32/[email protected] ) was originally discovered in November 2005 and is slated to start spreading again this week. Its internal timer will trigger on January 6.
When triggered, the worm will try to spread itself via email using its own built-in SMTP mailer. When received and activated by another system the worm will create a directory, create several files in that directory, try to deactivate any active previous Sober variants, gather email addresses from assorted files on the system, and perform other actions designed to propagate itself. It will also attempt to download a file from a long list of Web sites. Symantec's advisory contains a list of those sites, which you could use to block possible access.
The real danger of this Sober variant is that it tries to disable various security applications, thus rendering a system vulnerable to innumerable attacks. Be sure your systems are clean by Thursday night because it will trigger first thing Friday!