W32/Sobig.F@mm
Analysis
- Virus is 32bit, with a TELock compressed size of
72,191 bytes - infected files may carry extra data
which is appended during infection of a new host
- If the virus is run, it may communicate with one
of 19 NTP servers in order to determine the current
time -
chronos.cru.fr
62.119.40.98
128.233.3.101
129.132.2.21
131.188.3.220
131.188.3.222
132.181.12.13
133.100.11.8
137.92.140.80
138.96.64.10
142.3.100.2
150.254.183.15
193.204.114.232
193.5.216.14
193.67.79.202
193.79.237.14
200.19.119.69
200.68.60.246
212.242.86.186
-
If the current time is 19:00 UTC (12:00 PST), the virus may then attempt to communicate with one of 20 IP addresses by sending an encrypted 8 byte code via UDP port 8998 in an effort to receive a URL for the virus to retrieve possibly malicious code -
12.158.102.205
12.232.104.221
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
24.33.66.38
61.38.187.59
63.250.82.87
65.177.240.194
65.92.186.145
65.92.80.218
65.93.81.59
65.95.193.138
66.131.207.81
67.73.21.6
67.9.241.67
68.38.159.161
68.50.208.96
218.147.164.29
-
Most if not all of these IP addresses are not reachable
-
After this, the virus may copy itself to the Windows folder, then modify the registry to run at Windows startup, as in this example -
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
Trayx = undefinedWindowsundefined\winppr32.exe /sincHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Trayx = undefinedWindowsundefined\winppr32.exe /sinc
-
Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
Possible Subject Lines:
Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That moviePossible Single-line Body Texts:
See the attached file for details
Please see the attached file for details.Possible Attachments:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
-
The virus may attempt to use Internet email servers in order to send emails to others
-
The virus may use imports from MPR.DLL in order to enumerate systems on the network and attempt to spread and infect these potential hosts - the virus uses weak password specifications in order to gain access and infect
-
If the virus is successful at gaining access, it will attempt to write itself to the Startup folder within the undefinedWindowsundefined path such that the virus will launch the next time the target system is restarted or the user logs out and in
Recommended Action
- Use the FortiGate unit to block these IP addresses
using URL Block feature -
12.158.102.205
12.232.104.221
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
24.33.66.38
61.38.187.59
63.250.82.87
65.177.240.194
65.92.186.145
65.92.80.218
65.93.81.59
65.95.193.138
66.131.207.81
67.73.21.6
67.9.241.67
68.38.159.161
68.50.208.96
218.147.164.29
- Block port 8998 using the FortiGate unit service
blocking feature
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |