W32/Sins.A!worm
Analysis
- Virus is 32bit with a file size of 28,672 bytes
in a file named "sins.exe"
- Virus may be received from an infected computer
as the file "sins.exe"
- If virus is run, it may display a fake error message
like this one -
Error
Access Violation Error!!
(Address:0x000f0852-0x000F08FF)
[OK]
-
Virus may attempt to connect via HTTP protocol to download three files from the IP address 66.36.237.9 (this resolves as the web address script.mine.nu)
vbdlls.exe
sin.dll
msn.exe
-
Virus will then initiate vbdlls.exe which actually a VB runtime library package
-
Virus launches msn.exe - this file is written in Visual Basic 6 and requires vb6ko.dll (Korean VB6 runtime)
-
The viral MSN.EXE will attempt to send SINS.EXE to contacts listed in MSN Messenger
Recommended Action
- Using the Administrator Console for the FortiGate
unit, adjust the current profile for all users affected
and enable "Web URL Block"
- Add the IP address 66.36.237.9 into the Web Filter/URL
Block section of the Administrator Console