Virus

W32/Sobig.C@mm

Analysis

  • Virus is 32bit, with a UPX compressed size which is between 58,000 and 60,000 bytes – the virus may append random data to the end of infectious files
  • Virus may copy itself to the Windows folder, then modify the registry to run at Windows startup, as in this example –

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    System MScvb = C:\Windows\MSCVB32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    System MScvb = C:\Windows\MSCVB32.exe

  • Other files may be created but with zero bytes on the local hard drive into the Windows folder –
    msddr.dat
    msddr.dll

  • Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text – the virus uses its own SMTP engine in order to send emails

  • The attachment will be between 58,000 and 60,000 bytes and with a .PIF extension

  • The virus uses instructions to enumerate network resources via the multiple protocol router dynamic link library file (MPR.DLL) in an attempt to connect to systems on a network and copy itself to the StartUp folder if a writable share is located

Recommended Action

  • Ensure that you are using the minimum FortiGate Definition version (listed at the top of this description).
  • If you run in to a new undetected variant of this threat, please send a sample to Fortinet.
  • As an added measure of security, you may choose to block files with the extensions: ".PIF", and ".PI*".