Virus

W32/Ska.A@m

Analysis

  • Virus is 32bit, with a size of 10,000 bytes
  • Virus will attempt to patch WSOCK32.DLL
    • When virus is first executed, it copies itself to Windows\System as "Ska.exe" and then writing a file "Ska.dll" to the same folder
    • Virus then copies existing WSOCK32.DLL as WSOCK32.SKA
    • Virus modifies the registry in order to load at Windows startup -

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\RunOnce\
      Ska.exe = Ska.exe

    • After a Windows restart, SKA.EXE patches WSOCK32.DLL, which calls routines in SKA.DLL in order to monitor sending emails via SMTP and posting news via NNTP.
  • When a user sends an email from an infected system to someone, an additional email will be sent from the infected system to the same recipient with an attachment named "Happy99.exe".
  • The virus adds the email address that received the virus into a text file named "liste.ska".
  • When a user sends a news post to USENET via NNTP, this virus will send an additional post with an attachment named "Happy99.exe".

Recommended Action

  • Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option