Virus

W32/Sober.E@mm

Analysis


Specifics
This 32-bit virus has a packed file size of 30,720 bytes. This virus was coded using Visual Basic 6, and contains code to send itself by email to others. The attachment has an extension of either .PIF or .ZIP, and the .ZIP will have a .PIF file inside.

Additional files may exist on the infected system, all in the System or System32 folder -

WinRun32.dll - contains email addresses found by the virus
msWord.wrd - MIME encoded .ZIP with virus inside with a .PIF extension
MsHelp32.dat - MIME encoded .PIF

Other files may be created but contain no content or are zero bytes in length -

bcegfds.lll - 0 byte temp file
zmndpgwf.kxx - 0 byte temp file


Loading At Windows Startup
If the virus is run, it will copy itself into the System32 folder as randomly named EXE file. The name is chosen from a table of possible names and made of two parts. These are the possible hard coded names -

sys,host,dir,explorer,win,run,log,32,disc,crypt,data,diag,spool,service,smss32

The virus selects two names from the table to create a name, such as "datacrypt.exe". The virus will then modify the registry to run at Windows startup as in this example -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\crypt\
"hostdiagcrypt" = C:\WINNT\System32\datacrypt.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"syscrypt" = C:\WINNT\System32\datacrypt.exe undefined1

In the above examples, the registry key name was also derived by concatenating selected strings from the table of names.

Email Spreading Routine
The virus will scan the hard drive looking for email addresses - the virus grabs email addresses from files with these extensions -

abd
abx
adb
asp
dbx
doc
eml
ini
log
mdb
php
pl
rtf
shtml
tbb
txt
wab
xls

Email addresses found are stored as text in a file named "WinRun32.dll". The first line of the text file has the string "1#", probably as a marker for the virus. Email addresses follow that first line. The last line in the text file is an end of file marker string as "EOF".
The virus avoids selecting email addresses which have any of these strings -

arcor
bigfoot
hotmail
msn
online
web


Email Creation
The virus will construct an email message with varied subject lines and body text, with a randomly selected file attachment - the variations are hard-coded and stored in the virus body. The "From" address is spoofed.

The virus will attach either a .ZIP or a .PIF file. The attachment is retrieved from the hard drive as one of these files from the System32 folder -

msWord.wrd - MIME encoded .ZIP with virus inside with a .PIF extension
MsHelp32.dat - MIME encoded .PIF

The file name is created from a table of names and could be any of these -

Text
Read
Graphic-doc
document
Word

The extension will be either .zip or .pif - for files with .zip extension, the archive file contains an infected file.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services