Virus

W32/Sober.A@mm

Analysis

  • Virus is 32bit and is compressed with variable sizes in excess of 63,488 bytes; the virus may contain random encrypted data beyond hex 0xF7FF (63,488 bytes)
  • Virus was coded using Visual Basic 6
  • The virus may contain appended random data which makes it polymorphic with regard to static file size and code
  • The virus is introduced to the system as an email attachment
  • If virus is run, it will display a fake error message with this text -

    Error
    (!) File not complete!
    [OK]

  • The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
    system = C:\WINNT\System32\systemchk.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    system = C:\WINNT\System32\systemchk.exe

  • The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -

    .htt , .rtf, .doc, .xls, .ini, .mdb, .txt, .htm, .html, .wab, .pst, .fdb, .cfg, .ldb, .eml, .abc, .ldif, .nab, .adp, .mdw, .mda, .mde, .ade, .sln, .dsw, .dsp, .vap, .php, .asp, .shtml, .shtm, .dbx, .hlp, .mht, .nfo

  • The virus will create the path undefinedWindowsundefined\System32\Macromed\Help and then write a file "media.dll" to that folder - media.dll will contain all of the email addresses found on the system

  • The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from media.dll - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services