W32/Smibag.A!worm.im

description-logoAnalysis

  • Virus is 32bit with file size of 163,840 bytes, and exists as the self-extracting archive file "SMB.EXE"
  • If the file is received and run, a command prompt window may open with signs of file extraction for a brief moment and then close
  • The virus will copy itself as c:\smb.exe
  • The virus will extract files from the archive file "SMB.EXE" -

    c:\admagic.exe (90,112 bytes)
    undefinedWindowsundefined\system32\raw32x.dll (121 bytes - encrypted data)
    undefinedWindowsundefined\system32\sm.dll (57,344 bytes)
    undefinedWindowsundefined\system32\uz.exe (50,688 bytes - Zlib unpacker application)

  • The virus will then register "sm.dll" to run as a server via numerous registry additions as in the following examples -

    HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\
    "(Default)" = WinnerObject Class

    HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\InprocServer32\
    "(Default)" = C:\WINNT\System32\sm.dll
    "ThreadingModel" = Apartment

    HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\ProgID\
    "(Default)" = Winner.WinnerObject.1

    HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\TypeLib\
    "(Default)" = {422FB26A-0DB0-4d4c-A65F-91034971476B}

    HKEY_CLASSES_ROOT\CLSID\{CD03FC97-2C85-4714-A5FF-37821781BE8C}\VersionIndependentProgID\
    "(Default)" = Winner.WinnerObject

    HKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\
    "(Default)" = IwinnerObject

    HKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\ProxyStubClsid\
    "(Default)" = {00020424-0000-0000-C000-000000000046}

    HKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\ProxyStubClsid32\
    "(Default)" = {00020424-0000-0000-C000-000000000046}

    HKEY_CLASSES_ROOT\Interface\{119D8864-53C2-4681-8D29-4F1E2A911DA1}\TypeLib\
    "(Default)" = {422FB26A-0DB0-4D4C-A65F-91034971476B}
    "Version" = 1.0

    HKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\
    "(Default)" = Winner 1.0 Type Library

    HKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\0\win32\
    "(Default)" = C:\WINNT\System32\sm.dll

    HKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\FLAGS\
    "(Default)" = 0

    HKEY_CLASSES_ROOT\TypeLib\{422FB26A-0DB0-4D4C-A65F-91034971476B}\1.0\HELPDIR\
    "(Default)" = C:\WINNT\System32\

    HKEY_CLASSES_ROOT\Winner.WinnerObject\
    "(Default)" = Winner Class

    HKEY_CLASSES_ROOT\Winner.WinnerObject\CLSID\
    "(Default)" = {CD03FC97-2C85-4714-A5FF-37821781BE8C}

    HKEY_CLASSES_ROOT\Winner.WinnerObject\CurVer\
    "(Default)" = Winner.WinnerObject.1

    HKEY_CLASSES_ROOT\Winner.WinnerObject.1\
    "(Default)" = Winner Class

    HKEY_CLASSES_ROOT\Winner.WinnerObject.1\CLSID\
    "(Default)" = {CD03FC97-2C85-4714-A5FF-37821781BE8C}

  • The virus also modifies the registry to load the binary "c:\admagic.exe" at next Windows startup -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "svchost" = c:\admagic.exe

  • The virus will then check if MSN Messenger is in use - if so, it will then check for contacts in the contact list which are signed on

  • The virus will then attempt to connect to the available contacts using MSN Messenger Service protocol on TCP port 1863 and send a file send request

  • The recipient may receive a conversation request from the infected user with a request to receive the file "smb.exe" (161Kb) - if the user accepts the request, and then later runs this file, it will repeat its process of installation and then sending itself to others found in MSN Messenger contact list

  • The virus component "admagic.exe" contains instructions to launch Internet Explorer to one of several sex related websites - the virus will attempt to visit them by launching Internet Explorer from the path

    C:\Program Files\Internet Explorer\IEXPLORE.EXE

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR