W32/Saros.A@mm
Analysis
Specifics
This 32-bit virus pretends to be an installable file
from Microsoft. When it is first run, a splash screen
logo is displayed, giving the virus the appearance that
it is an official Microsoft update executable. Next
the virus displays a fake dialogue box with only one
choice -
Microsoft Windows Update
Click Yes For Update Microsoft Outlook via E-mail
[OK]
To continue the trickery, the virus opens Internet Explorer
web browser to Microsoft's security update page, as
in this example -
http://v4.windowsupdate.microsoft.com/en/default.asp
This virus contains a mass-mailing routine where the virus sends a copy of itself to others using Outlook.
Kazaa P2P Sharing Propagation
This virus will also make itself available to others
using the P2P file sharing program Kazaa, by copying
itself into the shard folder for that application. These
are some of the file names the virus may copy itself
as -
C:\Program Files\Kazaa\My Shared Folder\50 Cent - In
da Club.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Anastacia -
Left Outside Alone.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Black Eyed Peas
- Hey Mama.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Haiducii - Dragostea
Din Tei.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Lionel Richie
- Just For You.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Pipponoto.exe
C:\Program Files\Kazaa\My Shared Folder\Raf - In tutti
i miei giorni.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Rosy.exe
C:\Program Files\Kazaa\My Shared Folder\The Rasmus -
In The Shadows.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Vanessa Carltron
- Ordinary Day.mp3.exe
C:\Program Files\Kazaa\My Shared Folder\Vasco Rossi
- Buoni e cattivi.mp3.exe
Loading at Windows Startup
This virus will register itself to load at Windows startup
by modifying the registry -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\nldr32\
"(Default)" = WINDOWS\system32\NonYou.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Runonce\wincomp32\
"(Default)" = WINDOWS\system32\nstdnrdll32.vbs
Lowering of Outlook Attachment Security
The virus modifies the registry in an attempt to lower
the security settings for MS Outlook regarding the handling
of unsafe attachments. The virus modifies the registry
with these settings -
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security\
"Level1Remove" = exe
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Security\
"Level1Remove" = exe
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security\
"Level1Remove" = exe
Miscellaneous
The last two PE sections of this virus have these names
-
Saro
Rosy
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |