The virus' download phase was to start globally at midnight Friday - 7 p.m. EST - but it had, so far, not activated.
Scott Chasin, chief technology officer at MX Logic, cautioned, "We are not out of the woods yet."
"Just because we did not see anything on Jan. 6 does not mean that we won't see the thousands of Sober.Z infected PCs leveraged in the future to initiate a spam attack or denial of service attack," he said. "The Sober worm has been very successful and very prolific, and I don't believe we have seen the last of it."
In June 2004, an earlier variant of Sober sent emails to thousands of users reading, "What Germany needs is German children" or other racist messages. That attack was related to elections in the country's parliament.
The Sober family appears to be authored by a German speaker or group of German speakers and is comprised by nearly 30 variants dating back to October 2003. Infected emails propagate as attachments with a social engineering component, enticing readers to open malicious files with messages using information on current events. Sober is also a bi-lingual worm, sending German-language messages to German email addresses, and English-language messages to other addresses.
F-Secure said Monday that Sober.y, which had been the firm's most tracked virus since November, had disappeared from its rankings. However, thousands of PCs remained infected with the virus, the firm said.
"There still are at least tens of thousands of infected machines out there. They just aren't spreading the virus further: they're just tying to download and run a mystery file – which isn't there to be downloaded," Mikko Hypponen, F-Secure director, said on the firm's website.
The U.S. Computer Emergency Readiness Team warned PC users about Sober's automatic update capabilities.
The organization advised users to keep up to date on OS patches and antivirus software, ignore unsolicited links and to refer to Microsoft and U.S.-CERT advisories for additional information.