W32/Sobig.E@mm

description-logoAnalysis

  • Virus is 32bit, with a compressed size of 85,628 bytes
  • When virus is run, it creates a Mutex named “Nuiro.X” and copies itself to the Windows folder, then modify the registry to run at Windows startup, as in this example –

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    SSK Service = C:\Windows\WINSSK32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    SSK Service = C:\Windows\WINSSK32.exe

  • Virus may create a small file named MSRRF.DAT into the Windows folder – this file contains encrypted data

  • Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text – the virus uses its own SMTP engine in order to send emails

  • The attachment will have a .PIF or .SCR extension and a size of 85,628
    bytes or in some cases, the virus may implement installed WinZip and package
    the virus inside a .ZIP file and send this as an attachment

  • The virus uses instructions to enumerate network resources via the multiple protocol router dynamic link library file (MPR.DLL) in an attempt to connect to systems on a network and copy itself to the StartUp folder if a writable share is located

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR