W32/Sober.B@mm

description-logoAnalysis

  • Virus is 32bit and is compressed with variable sizes in excess of 54,784 bytes; the virus may contain random encrypted data beyond hex 0xD5FF (54,784 bytes)
  • Virus was coded using Visual Basic 6
  • The virus may contain appended random data which makes it polymorphic with regard to static file size and code
  • The virus is introduced to the system as an email attachment
  • If virus is run, it will display a fake error message with this text -

    Error
    (X) Header is missing
    [OK]

  • The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
    phdisk = C:\WINNT\System32\strbpdncon.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    phdisk = C:\WINNT\System32\strbpdncon.exe

  • The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -

    .htt , .rtf, .doc, .xls, .ini, .mdb, .txt, .htm, .html, .wab, .pst, .fdb, .cfg, .ldb, .eml, .abc, .ldif, .nab, .adp, .mdw, .mda, .mde, .ade, .sln, .dsw, .dsp, .vap, .php, .asp, .shtml, .shtm, .dbx, .hlp, .mht, .nfo

  • The virus will create the path undefinedWindowsundefined\System32\Help and then write a file "mscolmon.ocx" to that folder - mscolmon.ocx will contain all of the email addresses found on the system

  • The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from mscolmon.ocx - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list

  • The virus infects files which may exist in the shared folder for Kazaa by overwriting the first 54,784 bytes with a copy of its code

  • Infectious files contain the string "54784" in the initial file header

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR