Virus

W32/Sobig.A@mm

Analysis

  • Virus is 32bit, with a TELock compressed size of 65,536 bytes
  • Virus may copy itself to the Windows folder, then modify the registry to run at Windows startup, as in this example -

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
WindowsMGM = C:\Windows\winmgm32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
WindowsMGM = C:\Windows\winmgm32.exe

  • Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • The attachment will be one of the following file names -

Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

  • Virus will attempt to connect to a hyperlink to read a data file named "reteral.txt" - the content of the file is a hyperlink pointing to another file with a .txt extension on a user account on the domain "loricoshop.com"
  • The file is then downloaded and renamed as "mptask.exe" and saved to the Windows\System folder - the properties of the file as set to confuse the user into believing the file is actually a Microsoft application however it is not
  • Virus then modifies the registry to load the downloaded file at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    Mptask Services = C:\Windows\System\mptask.exe

  • The downloaded file Mptask.exe is a Trojan also known as Zasi