Virus

W32/Sexer.B@mm

Analysis

  • Virus is 32bit with a compressed size of 99,398 bytes
  • The virus is introduced to the system as an email attachment
  • If the virus is run, it may write itself to the local system as
    "c:\program files\common files\system\kavutil.exe"
  • The virus will locate the Windows Address book by looking in the registry for the path info, then it will attempt to send itself to all contacts found as an attachment to an email message
  • The email message will not be static - the subject and body text will be varied based on a randomization and a table of possible subjects and body text
  • The virus will use the MAPI application Outlook in order to send its messages to others
  • The virus will change the background desktop image to be text written in Russian or similar language using Arial Cyrillic font - the image may be written to the local system as "c:\program files\common files\system\kav.bmp"
  • The virus may modify the registry to load at Windows startup -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\KAVutil\
    "KAVutil" = 01, 00, 00, 00

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "KAVutil" = undefinedpathundefined\kavutil.exe