virus logo Virus

W32/Sober.A@mm

description-logoAnalysis

  • Virus is 32bit and is compressed with variable sizes in excess of 63,488 bytes; the virus may contain random encrypted data beyond hex 0xF7FF (63,488 bytes)
  • Virus was coded using Visual Basic 6
  • The virus may contain appended random data which makes it polymorphic with regard to static file size and code
  • The virus is introduced to the system as an email attachment
  • If virus is run, it will display a fake error message with this text -

    Error
    (!) File not complete!
    [OK]

  • The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
    system = C:\WINNT\System32\systemchk.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    system = C:\WINNT\System32\systemchk.exe

  • The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -

    .htt , .rtf, .doc, .xls, .ini, .mdb, .txt, .htm, .html, .wab, .pst, .fdb, .cfg, .ldb, .eml, .abc, .ldif, .nab, .adp, .mdw, .mda, .mde, .ade, .sln, .dsw, .dsp, .vap, .php, .asp, .shtml, .shtm, .dbx, .hlp, .mht, .nfo

  • The virus will create the path undefinedWindowsundefined\System32\Macromed\Help and then write a file "media.dll" to that folder - media.dll will contain all of the email addresses found on the system

  • The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from media.dll - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-09-26 91.07317
2023-08-14 91.06017
2022-08-16 90.05126
2022-06-19 90.03415
2022-05-03 90.01962
2022-04-26 90.01752
2022-04-19 90.01542
2022-02-25 89.09940
2022-02-18 89.09751
2022-02-12 89.09566
ID 21653
Released Oct 27, 2003
Description
Updated		 Oct 27, 2003
Aliases I-Worm.Sober, W32/Sober.A@mm, W32/Sober@MM, Win32.HLLM.Odin, WORM_SOBER.a
Platform Profile Win32 file format / PE 32 bit