WORM_SOBER.G information

[bob]

Friends I have got some useful information about this latest worm from F secure
Here is this
The worm is written in Visual Basic. The worm's file is a PE executable of length 49661 bytes, packed with a modified version of UPX file compressor. The worm has its own SMTP engine.
Installation to system
When the worm's file is started it shows the following messagebox:
If a user clicks 'Yes' button, the worm creares the converted_<filename>.txt file where <filename> is the name of the worm's file. The worm writes random garbage to that file and opens it with Notepad:
Then the worm installs itself to system. It copies itself to Windows System folder with a semi-randomly generated name and EXE extension. The following text strings are used to generate the file name of the worm's executable:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
After that the worm creates startup keys for its file in Windows Registry. The key names are also semi-randomly generated from the above given list. The following keys are created: