Win32.HLLM.Generic.285

Added to the Dr.Web virus database: 2004-04-04

Virus description added: 2004-04-04

Description

Win32.HLLM.Generic.285 (also known as Sober.F) is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm, UPX-packed, is 42, 496 bytes.

Action

Being executed, the worm drops its copy to Windows folder (in Windows 9x/ME/XP it’s C:\Windows, in Windows NT/2000 it’s C:\WINNT ). Its names is composed of the following strings

     sys, host, dir, expolrer, win, run, log, 32,  disc, crypt, data, diag, spool, service, sms, 
     s32

and the .exe extension.

It points to this copy in the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run\
The value for this key is also chosen from the above mentioned list.

To the same Windows folder the worm drops several more files:

z m n d p g w f . k x x

b c e g f d s . l l l

z h c a r x x i . v v x

s y s t 3 2 w i n . d l l and spoofed_recips.ocx are used by the worm as a storage for stolen mail addresses

w i n s y s 3 2 x x . z z p and w i n h e x 3 2 x x . w r m are base64 – encoded copies of the worm

Technologies

Begriffe

Schulung und Training

Mythen