Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:29/04/2007
In the wild:Yes
Reported Infections:High
Distribution Potential:High
Damage Potential:Medium
Static file:Yes
File size:89.274 Bytes
MD5 checksum:b8c0c8f33f47c39794dff68489a706ce
VDF version:
IVDF version: - Friday, May 4, 2007
Engine version:

 General Method of propagation:
   • Email

   •  Symantec: W32.Sober.AA@MM
   •  Mcafee: W32/Sober.gen@MM
   •  Kaspersky: Email-Worm.Win32.Sober.aa
   •  F-Secure: Email-Worm.Win32.Sober.aa
   •  Sophos: W32/Sober-AD
   •  Bitdefender: Win32.Sober.Gen

It was previously detected as:
   •  Worm/Sober.GEN

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Downloads malicious files
   • Uses its own Email engine
   • Registry modification

   - synchronizes time with several ntp servers (,
   - event-/time-driven
   - contains encrypted strings

 Files  It creates the following directory:
   • %WINDIR%\PoolData\

It drops copies of itself using a filename from lists
– To: %WINDIR%\PoolData\ Using one of the following names:
   • smss.exe
   • csrss.exe
   • services.exe

It overwrites a file.

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %WINDIR%\PoolData\xpsys.ddr

It tries to download some files:

The built-in time synchronisation via the NTP protocol will trigger on the following point of time:
Date: 05/05/2007

– The locations are the following:
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– WinData
   • c:\windows\\PoolData\\services.exe

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The language in which the email is sent out depends on the Top-Level-Domain.

Trigger conditions:
According to the time obtained via the NTP protocol it will start the mailing routine.

Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

– Email addresses found in specific files on the system.
The subject of the email is constructed out of the following:

    Sometimes it starts with one of the following:
   • Ihr Passwort wurde geandert!

    Sometimes continued by one of the following:
   • Fehlerhafte Mailzustellung

    Sometimes continued by one of the following:
   • Ihr Account wurde eingerichtet!

    Sometimes continued by one of the following:
   • Your Updated Password!

–  The body contains random characters.

The body of the email is one of the following:
Sometimes it starts with one of the following:

   • Danke das Sie sich fuer uns entschieden haben.

Sometimes continued by the following:

   • Diese Nachricht wurde automatisch generiert


The attachment is an archive containing a copy of the malware itself.

 File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Dennis Elser on Friday, May 4, 2007
Description updated by Dennis Elser on Monday, May 7, 2007

Back . . . .