W32/Sober.E@mm
Analysis
Specifics
This 32-bit virus has a packed file size of 30,720 bytes.
This virus was coded using Visual Basic 6, and contains
code to send itself by email to others. The attachment
has an extension of either .PIF or .ZIP, and the .ZIP
will have a .PIF file inside.
Additional files may exist on the infected system, all in the System or System32 folder -
WinRun32.dll - contains email addresses found by the
virus
msWord.wrd - MIME encoded .ZIP with virus inside with
a .PIF extension
MsHelp32.dat - MIME encoded .PIF
Other files may be created but contain no content or are zero bytes in length -
bcegfds.lll - 0 byte temp file
zmndpgwf.kxx - 0 byte temp file
Loading At Windows Startup
If the virus is run, it will copy itself into the System32
folder as randomly named EXE file. The name is chosen
from a table of possible names and made of two parts.
These are the possible hard coded names -
sys,host,dir,explorer,win,run,log,32,disc,crypt,data,diag,spool,service,smss32
The virus selects two names from the table to create a name, such as "datacrypt.exe". The virus will then modify the registry to run at Windows startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\crypt\
"hostdiagcrypt" = C:\WINNT\System32\datacrypt.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"syscrypt" = C:\WINNT\System32\datacrypt.exe
undefined1
In the above examples, the registry key name was also
derived by concatenating selected strings from the table
of names.
Email Spreading Routine
The virus will scan the hard drive looking for email
addresses - the virus grabs email addresses from files
with these extensions -
abd
abx
adb
asp
dbx
doc
eml
ini
log
mdb
php
pl
rtf
shtml
tbb
txt
wab
xls
Email addresses found are stored as text in a file
named "WinRun32.dll". The first line of the
text file has the string "1#", probably as
a marker for the virus. Email addresses follow that
first line. The last line in the text file is an end
of file marker string as "EOF".
The virus avoids selecting email addresses which have
any of these strings -
arcor
bigfoot
hotmail
msn
online
web
Email Creation
The virus will construct an email message with varied
subject lines and body text, with a randomly selected
file attachment - the variations are hard-coded and
stored in the virus body. The "From" address
is spoofed.
The virus will attach either a .ZIP or a .PIF file. The attachment is retrieved from the hard drive as one of these files from the System32 folder -
msWord.wrd - MIME encoded .ZIP with virus inside with
a .PIF extension
MsHelp32.dat - MIME encoded .PIF
The file name is created from a table of names and could be any of these -
Text
Read
Graphic-doc
document
Word
The extension will be either .zip or .pif - for files with .zip extension, the archive file contains an infected file.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |