"Sophos, a world leader in anti-virus and anti-spam protection for businesses, is advising that reports from England and Germany of the Windows worm W32/Sober-A have been steadily increasing since its discovery on Monday. The worm has duped some computer users with its ability to check the domain of the recipient's email address and change the text language accordingly. If it is '.de' (Germany), '.li' (Liechtenstein), '.at' (Austria) or '.ch' (Switzerland), the subject line and message text are displayed in German. All other recipient addresses receive an English subject and body text. If an infected email attachment is opened, the Sober worm starts to spread by collecting email addresses found on the infected user's computer and sending itself to each of them. The displayed text uses sophisticated techniques to convince the user to double-click on the attachment, such as pretending to be an operating system patch to safeguard the recipient's computer or anti-virus protection to protect the user against viruses." http://www.sophos.com/virusinfo/articles/sobera.html http://www.sophos.com/virusinfo/analyses/w32sobera.html AVG, AVP (KAV), eTrust, F-Prot, Symantec, Mcafee, NOD32 have it in its detection. DrWeb has it in its detection as Win32.HLLM.Odin.