W32/Saros.A@mm

Analysis

Specifics
This 32-bit virus pretends to be an installable file from Microsoft. When it is first run, a splash screen logo is displayed, giving the virus the appearance that it is an official Microsoft update executable. Next the virus displays a fake dialogue box with only one choice -

Microsoft Windows Update

Click Yes For Update Microsoft Outlook via E-mail

[OK]

To continue the trickery, the virus opens Internet Explorer web browser to Microsoft's security update page, as in this example -

http://v4.windowsupdate.microsoft.com/en/default.asp

This virus contains a mass-mailing routine where the virus sends a copy of itself to others using Outlook.

Kazaa P2P Sharing Propagation
This virus will also make itself available to others using the P2P file sharing program Kazaa, by copying itself into the shard folder for that application. These are some of the file names the virus may copy itself as -

C:\Program Files\Kazaa\My Shared Folder\50 Cent - In da Club.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Anastacia - Left Outside Alone.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Black Eyed Peas - Hey Mama.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Haiducii - Dragostea Din Tei.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Lionel Richie - Just For You.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Pipponoto.exe
C:\Program Files\Kazaa\My Shared Folder\Raf - In tutti i miei giorni.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Rosy.exe
C:\Program Files\Kazaa\My Shared Folder\The Rasmus - In The Shadows.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Vanessa Carltron - Ordinary Day.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Vasco Rossi - Buoni e cattivi.mp3.exe

Loading at Windows Startup
This virus will register itself to load at Windows startup by modifying the registry -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\nldr32\
"(Default)" = WINDOWS\system32\NonYou.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Runonce\wincomp32\
"(Default)" = WINDOWS\system32\nstdnrdll32.vbs

Lowering of Outlook Attachment Security
The virus modifies the registry in an attempt to lower the security settings for MS Outlook regarding the handling of unsafe attachments. The virus modifies the registry with these settings -

HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security\
"Level1Remove" = exe
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Security\
"Level1Remove" = exe
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security\
"Level1Remove" = exe

Miscellaneous
The last two PE sections of this virus have these names -

Saro
Rosy

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option