W32/Sober.J@mm
Analysis
This virus is 32-bit, with a UPX packed file size of 43,247 bytes. It was coded using Visual Basic 5, and parts of the code are further encrypted in an effort to avoid detection by string parsing methods.
If virus is executed, it may display a fake error dialogue
box like this -
The virus will copy itself as two files to the System32
folder, and register itself to load at Windows startup.
The name of the files will be variable depending on
a file name table and random concatenation of strings
from that table. For example, the file name table contains
these strings -
sys, host, dir, expoler, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
Using the table, the virus could construct file names like these -
syshost.exe
windisc.exe
dircrypt.exe
and so on. The registry will have entries to load the
newly created executables.
Mass mailing routine
The virus will harvest emails from the infected system
by scanning certain file types and compiling email capture
log files. The log files are stored in the System32
folder as "datamx.dam" and "dgsfzipp.gmx".
The virus is selective with the emails that it will use when sending itself to others - it avoids using email addresses which have these strings in the address -
.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@msn
@nai.
@panda
@smtp.
@sophos
@spiegel.
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
-dav
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google
host.
icrosoft.
ipt.aol
law2
linux
mailer-daemon
me@
mozilla
msdn.
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp@
office
password
postmas
reciver@
redaktion
secure
service
smtp-
somebody
someone
spybot
sql.
subscribe
support
t-dialin
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname
The virus will use fuzzy logic to determine if the recipient can receive emails in German text. If the suffix of the email address is any of these -
.de, .ch, .at, .li
the virus will send emails with a body text in German, otherwise the body text is in English.
The file attached to the email message could either
be a .ZIP file or a directly executable file with extensions
such as .COM, .EXE, .PIF, .SCR or .BAT. The virus stores
UUEncoded copies of itself in both ZIP and executable
formats on the local system.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |