W32/Sobig.D@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 57,861
bytes. Note actual virus replications may range between
57,861 and 63,000 bytes – the virus may append
random data to the end of infectious files
- Virus may copy itself to the Windows folder, then
modify the registry to run at Windows startup, as
in this example –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
SFtrb Service = C:\Windows\cftrb32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
SFtrb Service = C:\Windows\cftrb32.exe
-
Other files may be created but with zero bytes on the local hard drive into the Windows folder –
dftrn.dat
rssp32.dat
-
Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text – the virus uses its own SMTP engine in order to send emails
-
The attachment will be between 57,861 and 63,000 bytes and with a .PIF extension
-
The virus uses instructions to enumerate network resources via the multiple protocol router dynamic link library file (MPR.DLL) in an attempt to connect to systems on a network and copy itself to the StartUp folder if a writable share is located
Recommended Action
- Ensure that you are using the minimum FortiGate
Definition version (listed at the top of this description).
- If you run in to a new undetected variant of this
threat, please send a sample to Fortinet.
- As an added measure of security, you may choose to block files with the extensions: ".PIF", and ".PI*".
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |