W32/Swen.A@mm
Analysis
- The virus is 32bit with a file size of 106,496 bytes
- This virus contains code to send itself by email,
IRC and Kazaa
-
If the virus is run, it will write itself as a random file name into the undefinedWindowsundefined folder and then modify the registry to load at Windows startup, and also when certain files are run - below is an example of the changes made by the virus -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"oxgqywwt" = aeymdaoa.exe autorunHKEY_CLASSES_ROOT\batfile\shell\open\command\
"(Default)" = aeymdaoa.exe "undefined1" undefined*
HKEY_CLASSES_ROOT\comfile\shell\open\command\
"(Default)" = aeymdaoa.exe "undefined1" undefined*
HKEY_CLASSES_ROOT\exefile\shell\open\command\
"(Default)" = aeymdaoa.exe "undefined1" undefined*
HKEY_CLASSES_ROOT\piffile\shell\open\command\
"(Default)" = aeymdaoa.exe "undefined1" undefined*Original data values were ["undefined1" undefined*]
HKEY_CLASSES_ROOT\regfile\shell\open\command\
"(Default)" = aeymdaoa.exe showerrorOriginal data value was [regedit.exe "undefined1"]
HKEY_CLASSES_ROOT\scrfile\shell\config\command\
"(Default)" = aeymdaoa.exe "undefined1"Original data value was ["undefined1"]
HKEY_CLASSES_ROOT\scrfile\shell\open\command\
"(Default)" = aeymdaoa.exe "undefined1" /SOriginal data value was ["undefined1" /S]
-
The virus may write itself to the folders
"C:\Winnt\Profiles\All Users\Documents and Settings\
Start menu\Programs\Startup"
"C:\Winnt\Profiles\Default User\Documents and Settings\
Start menu\Programs\Startup"
-
The virus may either write itself as an .EXE file or package itself into an archive files by any of the following file names -
10.000 Serials
AOL hacker
Bugbear
cleaner
Cooking with Cannabis
Download Accelerator
Emulator PS2
fixtool
GetRight FTP
Gibe
hack
hacked
Hallucinogenic Screensaver
HardPorn
Hotmail hacker
installer
Jenna Jameson
key generator
Klez
Magic Mushrooms Growing
My naked sister
removal tool
remover
Sex
Sick Joke
Sircam
Sobig
upload
Virus Generator
warez
Windows Media Player
XboX Emulator
XP update
XXX Pictures
XXX Video
Yaha
Yahoo hacker
-
The virus contains instructions which could include posting to Newsgroups - the virus may track newsgroup posting data into a file named "nntpgroups.dat" - the virus writes newsgroup servers into another file as text named "swen0.dat" or "swen1.dat" - whether or not the virus actually does this is based on if Outlook Express has a default newsgroup account defined
-
The virus will then harvest email addresses from the infected machine and write them in plain text into a file named "germs0.dbv" or "germs1.dbv" - the virus searches files with the extensions
.asp
.dbx
.eml
.ht*
.mbx
.wab
-
The virus will then construct an email based on variables in the following format with an infectious attachment -
Subject: undefinedCritical/Latest/New/Last/Newest/Currentundefined undefinedUpgrade/Pack/Update/Patchundefined
Body:MS undefinedClient/Consumer/Partner/User/Customerundefined
this is the latest version of security update, the "undefinedMonthundefined undefinedYYYYundefined Cumulative Patch" update which undefinedeliminates/resolves/fixesundefined all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to help undefinedmaintain the security of your computer/protect your computer/continue keeping your computer secureundefined from these vulnerabilitiesundefined, the most serious of which could allow anundefined undefinedmalicious user/attackerundefined to run executable code on your undefinedcomputer/systemundefined. This update includes the functionality of all previously released patches.System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
- MS Internet Explorer, version 4.01 and later
- MS Outlook, version 8.00 and later
- MS Outlook Express, version 4.01 and laterRecommendation: Customers should install the patch at the earliest opportunity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.
Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical
upport web site.
http://support.microsoft.com/For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site
http://www.microsoft.com/security/Thank you for using Microsoft products.
Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable to respond to any replies.----------------------------------------------
The names of the actual companies and products mentioned herein are the trademarks of their respective
owners.
Attachment: (infectious binary)
-
The virus will attempt to disable and terminate processes which match the following -
_avp
ackwin32
anti-trojan
aplica32
apvxdwin
autodown
avconsol
ave32
avgcc32
avgctrl
avgw
avkserv
avnt
avp
avsched32
avwin95
avwupd32
blackd
blackice
bootwarn
ccapp
ccshtdwn
cfiadmin
cfiaudit
cfind
cfinet
claw95
dv95
ecengine
efinet32
esafe
espwatch
f-agnt95
findviru
f-prot
fprot
f-prot95
fprot95
fp-win
frw
f-stopw
gibe
iamapp
iamserv
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
iface
iomon98
jedi
kpfw32
lockdown2000
lookout
luall
moolive
mpftray
msconfig
nai_vs_stat
navapw32
navlu32
navnt
navsched
navw
nisum
nmain
normist
nupdate
nupgrade
nvc95
outpost
padmin
pavcl
pavsched
pavw
pcciomon
pccmain
pccwin98
pcfwallicon
persfw
pop3trap
pview
rav
regedit
rescue
safeweb
serv95
sphinx
sweep
tca
tds2
vcleaner
vcontrol
vet32
vet95
vet98
vettray
vscan
vsecomr
vshwin32
vsstat
webtrap
wfindv32
zapro
zonealarm
-
The virus will attempt to enable file sharing for the peer-to-peer file sharing application Kazaa via the registry and then it will create a random folder name within the undefinedWindowsundefined\Temp folder, then set the Shared folder for Kazaa to that newly created directory, as in the following example -
HKEY_CURRENT_USER\Software\Kazaa\LocalContent\
"Dir99" = 012345:C:\WINDOWS\TEMP\uvghltv
"DisableSharing" = 00, 00, 00, 00
-
The virus will write infectious files into the undefinedWindowsundefined\Temp\undefinedrandomundefined folder for others to possibly download and become infected
-
The virus may write infectious files into the undefinedWindowsundefined folder and then may modify the SCRIPT.INI file such that mIRC will send the virus when connecting to IRC channels as in the following example -
dcc send $nick "C:\WINDOWS\XboX Emulator.zip"
-
The virus will write values into created registry keys as in the following example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\LYVU
"CacheBox Outfit" = yes
"Install Item" = oxgqywwt
"Installed" = ... by Begbie
"Kazaa Infect" = yes
"Mirc Install Folder" = C:\mirc
"Unfile" = laivxxr.htp
"ZipName" = oliq
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |