W32/Smibag.A!worm.im
Analysis
- Virus is 32bit with file size of 163,840 bytes,
and exists as the self-extracting archive file "SMB.EXE"
- If the file is received and run, a command prompt
window may open with signs of file extraction for
a brief moment and then close
- The virus will copy itself as c:\smb.exe
- The virus will extract files from the archive file
"SMB.EXE" -
c:\admagic.exe (90,112 bytes)
undefinedWindowsundefined\system32\raw32x.dll (121 bytes - encrypted data)
undefinedWindowsundefined\system32\sm.dll (57,344 bytes)
undefinedWindowsundefined\system32\uz.exe (50,688 bytes - Zlib unpacker application)
-
The virus will then register "sm.dll" to run as a server via numerous registry additions as in the following examples -
HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\
"(Default)" = WinnerObject ClassHKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\InprocServer32\
"(Default)" = C:\WINNT\System32\sm.dll
"ThreadingModel" = ApartmentHKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\ProgID\
"(Default)" = Winner.WinnerObject.1HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\TypeLib\
"(Default)" = {422FB26A-0DB0-4d4c-A65F-91034971476B}HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\VersionIndependentProgID\
"(Default)" = Winner.WinnerObjectHKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\
"(Default)" = IwinnerObjectHKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\ProxyStubClsid\
"(Default)" = {00020424-0000-0000-C000-000000000046}HKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\ProxyStubClsid32\
"(Default)" = {00020424-0000-0000-C000-000000000046}HKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\TypeLib\
"(Default)" = {422FB26A-0DB0-4D4C-A65F-91034971476B}
"Version" = 1.0HKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\
"(Default)" = Winner 1.0 Type LibraryHKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\0\win32\
"(Default)" = C:\WINNT\System32\sm.dllHKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\FLAGS\
"(Default)" = 0HKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\HELPDIR\
"(Default)" = C:\WINNT\System32\HKEY_CLASSES_ROOT\Winner.WinnerObject\
"(Default)" = Winner ClassHKEY_CLASSES_ROOT\Winner.WinnerObject\CLSID\
"(Default)" = {CD03FC97-2C85-4714-A5FF-37821781BE8C}HKEY_CLASSES_ROOT\Winner.WinnerObject\CurVer\
"(Default)" = Winner.WinnerObject.1HKEY_CLASSES_ROOT\Winner.WinnerObject.1\
"(Default)" = Winner ClassHKEY_CLASSES_ROOT\Winner.WinnerObject.1\CLSID\
"(Default)" = {CD03FC97-2C85-4714-A5FF-37821781BE8C}
-
The virus also modifies the registry to load the binary "c:\admagic.exe" at next Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"svchost" = c:\admagic.exe
-
The virus will then check if MSN Messenger is in use - if so, it will then check for contacts in the contact list which are signed on
-
The virus will then attempt to connect to the available contacts using MSN Messenger Service protocol on TCP port 1863 and send a file send request
-
The recipient may receive a conversation request from the infected user with a request to receive the file "smb.exe" (161Kb) - if the user accepts the request, and then later runs this file, it will repeat its process of installation and then sending itself to others found in MSN Messenger contact list
-
The virus component "admagic.exe" contains instructions to launch Internet Explorer to one of several sex related websites - the virus will attempt to visit them by launching Internet Explorer from the path
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |