VirusW32/Sober.C@mm
Analysis
- Virus is 32bit and has a compressed file size of
73,728 bytes
- Virus was coded using Visual Basic 6
- The virus is introduced to the system as an email
attachment
- The virus will write a copy of itself into the
undefinedWindowsundefined\System32 folder as several possible file
names, and then modify the registry to load at Windows
startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
(value) = C:\WINNT\System32\syshostx.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
(value) = C:\WINNT\System32\syshostx.exe
-
The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -
.abc
.ade
.adp
.asp
.cfg
.dbx
.doc
.dsp
.dsw
.eml
.fdb
.hlp
.htm
.html
.htt
.ini
.ldb
.ldif
.mda
.mdb
.mde
.mdw
.mht
.nab
.nfo
.nsf
.php
.pst
.rtf
.shtm
.shtml
.sln
.txt
.vap
.wab
.xls
-
The virus will write a file "savesyss.dll" to undefinedWindowsundefined\System32 - savesyss.dll will contain all of the email addresses found on the system
-
The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from savesyss.dll - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list
-
The email subject and body text may be either English or German
-
Some of the following file names are used in an attempt to trick the recipient into thinking the file attachment is a web site link -
www.anime4allfree.com
www.animepage43252.com
www.boards4all-terror432.com
www.free4manga.com
www.free4share4you.com
www.freegames4you-gzone.com
www.freewantiv.com
www.iq4you-german-test.com
www.onlinegamerspro-worm.com
www.tagespolitik-umfragen.com
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |