SAN FRANCSICO ? CNET.Com is predicting that another Sober worm attack is likely the first week in January just in time to fill everyone?s e-mail boxes with junk when they return to work after the Christmas Holidays.

Researchers at iDefense predict the attack will come on January 5 or 6. Once installed, the small virus then opens a backdoor to call out to the predetermined Web server IP address from which it then loads a more sophisticated version of itself (or it transforms the infected PC into a conduit for spam, pornography, or a host of other malicious uses).

If the small virus downloaded the larger code upon infection, there would be a collision of newly infected machines and second-wave infections, so virus writers have started delaying the second wave by several days or even several weeks.

Most of the Sober variants use a trigger delay; they install quickly but then sleep for a preset period of time before reaching out and contacting the Internet for a new download. The latest Sober variants, released November 15, 2005, added a new wrinkle: encryption and a random number generator. Using a complex algorithm, Sober produces a series of different dates, each with its own set of Web server ISPs. In other words, every so many days, Sober changes its ISP contact information (using mostly free Web hosts in Germany and Austria). According to F-Secure, the antivirus vendor that first broke the algorithm, these addresses have been mostly bogus; at least the addresses produced do not correspond to live Web servers. The list of probable Web servers changes every 14 days. In looking at the possible combinations of dates and Web servers, security company iDefense thinks that the addresses set to activate January 5, 2006, are particularly significant.

iDefense relied upon a little social-engineering logic to figure this one out. Previous versions of Sober have struck on dates significant to the National Socialist (Nazi) Party in Germany. For example, Sober.n coincided with April 19, Hitler’s birthday. Other variants spread long tracts of NeoNazi propaganda. On January 5, 1919, the National Socialist (Nazi) Party in Germany was founded. Of the possible dates for the next Sober virus attack, iDefense thinks this is the most likely date (although F-Secure now says the date is after January 5, 2006, so it could be January 6, 2006, when the actual attack occurs).

It is believed that the authors of the Sober virus live or work in the Bavarian district of Germany, although whether they believe the vitriol they spam is another matter. The spread of Nazi propaganda could be no more than a cruel Internet joke. For example, Netsky author Sven Jashen (also from Germany) buried snippets of Russian within his code to fool researchers into thinking the Netsky code originated in Russia. Then again, the level of sophistication in each variant suggests professionals, not amateurs, might be behind Sober.

It’s important to note that your PC must already be infected with Sober before it becomes a foot soldier in this expected January 5 assault. No infection, no participation. So clean your desktop computer now. For corporate systems, it’s also important to create firewall rules that block IP requests to the January 5 addresses. According to F-Secure, the addresses to be contacted on January 5, 2006, include:

home.arcor.de/dixqshv/

people.freenet.de/wjpropqmlpohj/

people.freenet.de/zmnjgmomgbdz/

people.freenet.de/mclvompycem/

home.arcor.de/jmqnqgijmng/

people.freenet.de/urfiqileuq/

home.arcor.de/nhirmvtg/

free.pages.at/emcndvwoemn/

people.freenet.de/fseqepagqfphv/

home.arcor.de/ocllceclbhs/

scifi.pages.at/zzzvmkituktgr/

people.freenet.de/qisezhin/

home.arcor.de/srvziadzvzr/

people.freenet.de/smtmeihf/

home.pages.at/npgwtjgxwthx/

At present, these addresses have not been registered. All correspond to free Web host sites in Germany and Austria. Assuming they are real, someone will have to register these addresses before January 5, 2006. Perhaps the individuals responsible will be dumb enough to give away enough personal information to lead to their arrest.

CNET.Com advised everyone to keep their anti virus protection primed over the holidays and install a firewall if you haven’t already. And don’t be too surprised if you find a ton of junk e-mail in your in-box starting January 6, 2006, or you find your e-mail traffic is a little slower. It’s Sober.