Virus

W32/Sober.C@mm

Analysis

  • Virus is 32bit and has a compressed file size of 73,728 bytes
  • Virus was coded using Visual Basic 6
  • The virus is introduced to the system as an email attachment
  • The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
    (value) = C:\WINNT\System32\syshostx.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    (value) = C:\WINNT\System32\syshostx.exe

  • The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -

    .abc
    .ade
    .adp
    .asp
    .cfg
    .dbx
    .doc
    .dsp
    .dsw
    .eml
    .fdb
    .hlp
    .htm
    .html
    .htt
    .ini
    .ldb
    .ldif
    .mda
    .mdb
    .mde
    .mdw
    .mht
    .nab
    .nfo
    .nsf
    .php
    .pst
    .rtf
    .shtm
    .shtml
    .sln
    .txt
    .vap
    .wab
    .xls

  • The virus will write a file "savesyss.dll" to undefinedWindowsundefined\System32 - savesyss.dll will contain all of the email addresses found on the system

  • The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from savesyss.dll - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list

  • The email subject and body text may be either English or German

  • Some of the following file names are used in an attempt to trick the recipient into thinking the file attachment is a web site link -

    www.anime4allfree.com
    www.animepage43252.com
    www.boards4all-terror432.com
    www.free4manga.com
    www.free4share4you.com
    www.freegames4you-gzone.com
    www.freewantiv.com
    www.iq4you-german-test.com
    www.onlinegamerspro-worm.com
    www.tagespolitik-umfragen.com


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services