W32/Sowsat.C@mm
Analysis
- Virus is 32bit with a varied compressed file size
of in excess of 300Kb in a file named TASKMGR32.EXE
- Virus may co-exist with a file "HookLib.dll"
with a file size of 40,448 bytes - this file is identified as W32/Sowsat.C-dll
- If the virus is run, it will launch a minimized
Internet Explorer browser window on the task bar -
if the window is maximized, the browser may display
a local html form file with Portuguese text
- Virus may write itself to the local system as two
files -
undefinedWindowsundefined\taskmgr32.exe
undefinedWindowsundefined\taskmgr32#.exeWhere # is a number between 0 and 9 such as taskmgr327.exe
-
Virus will modify the registry to load at next Windows Startup as in these examples -
HKEY_CURRENT_USER\Software\Microsoft\Windows\
"ctfmon32" = Java Compiler
"jto" = 250803213939
"pcount" = (number of times virus has executed in hex)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"ctfmon32" = undefinedWindowsundefined\temp\taskmgr32#.exeHKEY_CURRENT_USER\Software\WinRAR SFX\
"cundefinedundefinedwindowsundefinedtempundefined" = undefinedWindowsundefined\temp\
-
Virus contains its own SMTP code and uses it to send emails to contacts found when scanning files of type "*.htm*" on the infected system - the virus may create an email with a spoofed sender address, varied subject and body text and attach itself as "setupc.exe" when sending itself to others - below are the possible email formats the virus is expected to be sent as -
From: AVP-Team (AVP.Mailer@avp.com)
Subject: AVP-Virus-Warning
Body:
New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends. Thank you, AVP Team
Attachment: (filename when executed)From: Programe-se.br (notice@programese.kit.net)
Subject: Bom dia !!!
Body:
Feliz Aniversßrio !!!
Attachment: (filename when executed)From: Piadeiros da Net (piadeiros@risadinha.com)
Subject: Piada do Paciente Galo
Body:
Um paciente chegou com o psiquiatra e disse: - Doutor, eu sou um galo...
Attachment: (filename when executed)From: jonas.rc@yahoo.com.b
Subject: Ei, psiu...
Body:
Nada. Te peguei...Gosto muito de vocO, viu ? Estou com saudades. De seu amigo, Jonas.
Attachment: (filename when executed)
-
The virus uses an SMTP server at the web address smtp.ig.com.br in order to send its emails