W32/Sobig.E@mm
Analysis
- Virus is 32bit, with a compressed size of 85,628
bytes
- When virus is run, it creates a Mutex named “Nuiro.X”
and copies itself to the Windows folder, then modify
the registry to run at Windows startup, as in this
example –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
SSK Service = C:\Windows\WINSSK32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
SSK Service = C:\Windows\WINSSK32.exe -
Virus may create a small file named MSRRF.DAT into the Windows folder – this file contains encrypted data
-
Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text – the virus uses its own SMTP engine in order to send emails
-
The attachment will have a .PIF or .SCR extension and a size of 85,628
bytes or in some cases, the virus may implement installed WinZip and package
the virus inside a .ZIP file and send this as an attachment -
The virus uses instructions to enumerate network resources via the multiple protocol router dynamic link library file (MPR.DLL) in an attempt to connect to systems on a network and copy itself to the StartUp folder if a writable share is located
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |