W32/Sinala@mm
Analysis
- Virus is 32bit with a compressed file size of 22,528
bytes
- Virus has infection methods for popular peer-to-peer
file sharing applications, email and floppy drives
- If the virus is run, it will copy itself to several
places on the local system -
c:\WINNT\spoolyb.exe
c:\WINNT\svchost.exe
c:\WINNT\system32\mope.scr
-
The virus will then modify the registry to auto run at next Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Service Host" = C:\WINNT\spoolyb.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TORVIL\
"DisplayName" = System Registry ServiceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TORVIL\
"ImagePath" = C:\WINNT\spoolyb.exe -xStartOurNiceServicesYesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"w32alanis" = C:\WINNT\system32\mope.scr
-
The virus will also modify the registry to run any time certain file types are run -
HKEY_CLASSES_ROOT\batfile\shell\open\command\
"(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*HKEY_CLASSES_ROOT\cmdfile\shell\open\command\
"(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*HKEY_CLASSES_ROOT\comfile\shell\open\command\
"(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*HKEY_CLASSES_ROOT\exefile\shell\open\command\
"(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*HKEY_CLASSES_ROOT\piffile\shell\open\command\
"(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*HKEY_CLASSES_ROOT\scrfile\shell\open\command\
"(Default)" = C:\WINNT\svchost.exe "undefined1" /S
-
The virus may copy itself to the shared folder for some peer-to-peer file sharing applications such as Grokster, WinMX, Morpheus and Kazaa -
C:\ARCHIV~1\Grokster\My Grokster\
C:\archiv~1\WinMX\My Shared Folder\
C:\ARCHIV~1\KaZaA\My Shared Folder\
C:\archiv~1\Morpheus\My Shared Folder\
C:\archiv~1\ICQ\shared files\
C:\archiv~1\Edonkey2000\incoming\
C:\archiv~1\KaZaA Lite\My Shared Folder\
C:\Program Files\WinMX\My Shared Folder\
C:\Program Files\KaZaA\My Shared Folder\
C:\Program Files\Grokster\My Grokster\
C:\Program Files\Morpheus\My Shared Folder\
C:\Program Files\ICQ\shared files\
C:\Program Files\Edonkey2000\incoming\
C:\Program Files\KaZaA Lite\My Shared Folder\
-
The virus will attempt to copy itself to A: drives with these file names -
a:\axebah.exe
a:\ring.exe
a:\piratas.scr
a:\BadboysII.scr
-
The virus will write infectious HTML files in different locations - the HTML file contains an encoded copy of the virus which is decoded and run if the HTML file is viewed on vulnerable systems -
c:\alanis.html
c:\avril.html
c:\pamelaXXX.html
c:\evan.html
c:\emo.html
c:\misdoc~1\alanis.html
c:\misdoc~1\avril.html
c:\misdoc~1\pamelaXXX.html
c:\misdoc~1\evan.html
c:\misdoc~1\emo.html
-
The virus may register a new file type on the infected system called ".MCG" associate the application Windows Media Player with this file, and then make the file type directly executable -
HKEY_CLASSES_ROOT\.mcg\
"(Default)" = mcgfileHKEY_CLASSES_ROOT\mcgfile\
"(Default)" = clip de videoHKEY_CLASSES_ROOT\mcgfile\
"NeverShowExt" = 1HKEY_CLASSES_ROOT\mcgfile\DefaultIcon\
"(Default)" = C:\ARCHIV~1\REPROD~1\wmplayer.exe,-120HKEY_CLASSES_ROOT\mcgfile\Shell\Open\Command\
"(Default)" = "undefined1" undefined*
-
The virus will then write numerous files with .MCG extensions in several places -
c:\WINNT\Cleanmgr.mcg
c:\WINNT\molani.scr
c:\WINNT\system32\Cleanmgr.mcg
-
Two other files are created by the same size -
c:\WINNT\system32\freesoft.avi.scr
c:\WINNT\system32\kerneldll32.api
-
The virus may create an email message and send it to each contact in the Windows address book with the file attachment "alanis.exe" - the email message created will have Spanish subject and body text
-
Virus contains the string "[DemionKlaz]..................[DK]" in its code
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |