Saw this on the SANS diary today:
A new sober variant is making the rounds, spreading surprisingly quickly.
We have received multiple reports, the file name we have seen is our_secret.zip.
Your anti-virus vendor of choice will have named it something interesting, with ‘sober’ somewhere in there.
More info about it can be found here:
The reason I post this is because the domain we use for e-mail got bombed with this virus today. Everyone with a purfoods.com e-mail address recieved multiple copies of it. Luckily I have Nod32 installed on all the PC’s here in the Nevada office.
They all came from the same Qwest IP address, so I just blocked all e-mails that come from that IP address. Seems to have worked so far.