Description
Win32.HLLM.Generic.285 (also known as Sober.F) is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm, UPX-packed, is 42, 496 bytes.
Action
Being executed, the worm drops its copy to Windows folder (in Windows 9x/ME/XP it’s C:\Windows, in Windows NT/2000 it’s C:\WINNT ). Its names is composed of the following strings
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, sms, s32and the .exe extension.
It points to this copy in the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\
The value for this key is also chosen from the above mentioned list.
To the same Windows folder the worm drops several more files: