The virus' download phase was to start globally at midnight Friday - 7 p.m. EST - but it had, so far, not activated, said F-Secure on Friday.
"The Sober activation deadline passed around eight hours ago. We've been monitoring the locations of the files that infected machines are now trying to download. So far none of them have been activated," the firm said. "We hope it stays that way."
Firms warned that the malware was designed to connect to numerous services this week, coinciding with the anniversary of the formation of German Nazi Party.
In June 2004, an earlier variant of Sober sent emails to thousands of users reading, "What Germany needs is German children" or other racist messages. That attack was related to elections in the country's parliament.
The Sober family appears to be authored by a German speaker or group of German speakers and is comprised by nearly 30 variants dating back to October 2003. Infected emails propagate as attachments with a social engineering component, enticing readers to open malicious files with messages using information on current events. Sober is also a bi-lingual worm, sending German-language messages to German email addresses, and English-language messages to other addresses.
Ken Dunham, senior researcher for iDefense, said users may not have seen the last of this Sober variant.
Every 14 days, Sober attempts to download code from a new set of pseudo-random URLs. While the anti-virus community appears to have victory today, the story is not yet complete regarding future potential Sober activity," he said. "Only time will tell if Sober is finished, like SoBig in 2003, or if new variants will emerge."