W32/Sober.A@mm
Analysis
- Virus is 32bit and is compressed with variable sizes
in excess of 63,488 bytes; the virus may contain random
encrypted data beyond hex 0xF7FF (63,488 bytes)
- Virus was coded using Visual Basic 6
- The virus may contain appended random data which
makes it polymorphic with regard to static file size
and code
- The virus is introduced to the system as an email
attachment
- If virus is run, it will display a fake error message
with this text -
Error
(!) File not complete!
[OK]
-
The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
system = C:\WINNT\System32\systemchk.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
system = C:\WINNT\System32\systemchk.exe
-
The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -
.htt , .rtf, .doc, .xls, .ini, .mdb, .txt, .htm, .html, .wab, .pst, .fdb, .cfg, .ldb, .eml, .abc, .ldif, .nab, .adp, .mdw, .mda, .mde, .ade, .sln, .dsw, .dsp, .vap, .php, .asp, .shtml, .shtm, .dbx, .hlp, .mht, .nfo
-
The virus will create the path undefinedWindowsundefined\System32\Macromed\Help and then write a file "media.dll" to that folder - media.dll will contain all of the email addresses found on the system
-
The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from media.dll - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |