W32/Sins.A!worm

description-logoAnalysis

  • Virus is 32bit with a file size of 28,672 bytes in a file named "sins.exe"
  • Virus may be received from an infected computer as the file "sins.exe"
  • If virus is run, it may display a fake error message like this one -

    Error
    Access Violation Error!!
    (Address:0x000f0852-0x000F08FF)
    [OK]

  • Virus may attempt to connect via HTTP protocol to download three files from the IP address 66.36.237.9 (this resolves as the web address script.mine.nu)

    vbdlls.exe
    sin.dll
    msn.exe

  • Virus will then initiate vbdlls.exe which actually a VB runtime library package

  • Virus launches msn.exe - this file is written in Visual Basic 6 and requires vb6ko.dll (Korean VB6 runtime)

  • The viral MSN.EXE will attempt to send SINS.EXE to contacts listed in MSN Messenger

recommended-action-logoRecommended Action

  • Using the Administrator Console for the FortiGate unit, adjust the current profile for all users affected and enable "Web URL Block"
  • Add the IP address 66.36.237.9 into the Web Filter/URL Block section of the Administrator Console

Telemetry logoTelemetry