Sober.AA is a mass mailing worm that uses English and German texts in the emails generated by this worm.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
This worm is written in Visual Basic. It is compressed using UPX.
Upon execution, this worm creates the folder PoolData in the Windows directory. It then creates several copies of itself as follows:
These files are identical to each other with a single byte difference located at offset 0xA0.
This worm also creates the following Registry entries in order to enable its automatic execution upon system start up:
Before spreading, this worm scans files with certain extensions on all hard disk drives to harvest email addresses. All files with the following extensions are scanned:
This worm creates the following files, where the system harvested email addresses are stored:
It can then send emails with English and German based text together with a Zip archived copy of itself as an attachment.
It ignores any email addresses that contain any of the following substrings:
The worm composes the following German messages:
Subject:
Body:
Ihr Passwort wurde erfolgreich geaendert. Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang! **-** Web: http://www.[spoofed] **-** email: [spoofed]
Attachment:
--- or ---
Subject:
Body:
Diese Nachricht wurde Automatisch generiert. - Ihre EMail konnte nicht empfangen oder gesendet werden. - Mail-Text sowie Mail-Header befinden sich im Anhang. *** auto mailerdaemon XPath 7 *** (c) by [spoofed]
Attachment:
--- or ---
Subject:
Body:
Danke das Sie sich fuer uns entschieden haben. Um ihren neuen Account zu aktivieren, folgen sie der kurzen Anleitung im Anhang. Es sind nur 2 Schritte noetig! ***** Web: http://www.[spoofed] ***** email: [spoofed]
Attachment:
It also composes the following English messages:
Subject:
Body:
You notified us that you have forgotten your password. We have changed your password to a random sequence of letters and digits! For more detailed information, see the attached password file ... **** Web: http://www. [spoofed] **** eMail: [spoofed]
Attachment:
--- or ---
Subject:
Body:
Your eMail has occurred an unknown error on our Server. Please read your mail and check the text. The full email is attached! *** auto mailerdaemon X.Path 4.2 *** (c) by [spoofed]
Attachment:
These email messages may appear to come from the following senders: