W32/Sober.B@mm
Analysis
- Virus is 32bit and is compressed with variable sizes
in excess of 54,784 bytes; the virus may contain random
encrypted data beyond hex 0xD5FF (54,784 bytes)
- Virus was coded using Visual Basic 6
- The virus may contain appended random data which
makes it polymorphic with regard to static file size
and code
- The virus is introduced to the system as an email
attachment
- If virus is run, it will display a fake error message
with this text -
Error
(X) Header is missing
[OK]
-
The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
phdisk = C:\WINNT\System32\strbpdncon.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
phdisk = C:\WINNT\System32\strbpdncon.exe
-
The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -
.htt , .rtf, .doc, .xls, .ini, .mdb, .txt, .htm, .html, .wab, .pst, .fdb, .cfg, .ldb, .eml, .abc, .ldif, .nab, .adp, .mdw, .mda, .mde, .ade, .sln, .dsw, .dsp, .vap, .php, .asp, .shtml, .shtm, .dbx, .hlp, .mht, .nfo
-
The virus will create the path undefinedWindowsundefined\System32\Help and then write a file "mscolmon.ocx" to that folder - mscolmon.ocx will contain all of the email addresses found on the system
-
The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from mscolmon.ocx - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list
-
The virus infects files which may exist in the shared folder for Kazaa by overwriting the first 54,784 bytes with a copy of its code
-
Infectious files contain the string "54784" in the initial file header
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |