VirusW32/Sobig.B@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 52,898
bytes
- Virus may copy itself to the Windows folder, then
modify the registry to run at Windows startup, as
in this example –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
System Tray = C:\Windows\msccn32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
System Tray = C:\Windows\msccn32.exe -
Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
-
The attachment will be 52,898 bytes and with a .PIF extension
-
Virus may attempt to connect to systems on a network and copy itself to the StartUp folder if a writable share is located
Recommended Action
- Ensure that you are using the minimum FortiGate
Definition version (listed at the top of this description).
- As an added measure of security, you may choose to block files with the extensions: ".PIF", and ".PI*".
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |