• Virus is 32bit and is compressed with variable sizes in excess of 54,784 bytes; the virus may contain random encrypted data beyond hex 0xD5FF (54,784 bytes)
  • Virus was coded using Visual Basic 6
  • The virus may contain appended random data which makes it polymorphic with regard to static file size and code
  • The virus is introduced to the system as an email attachment
  • If virus is run, it will display a fake error message with this text -

    (X) Header is missing

  • The virus will write a copy of itself into the undefinedWindowsundefined\System32 folder as several possible file names, and then modify the registry to load at Windows startup as in this example -

    phdisk = C:\WINNT\System32\strbpdncon.exe

    phdisk = C:\WINNT\System32\strbpdncon.exe

  • The virus will then scavenge the hard drive looking for email addresses - the virus looks inside files with the following extensions -

    .htt , .rtf, .doc, .xls, .ini, .mdb, .txt, .htm, .html, .wab, .pst, .fdb, .cfg, .ldb, .eml, .abc, .ldif, .nab, .adp, .mdw, .mda, .mde, .ade, .sln, .dsw, .dsp, .vap, .php, .asp, .shtml, .shtm, .dbx, .hlp, .mht, .nfo

  • The virus will create the path undefinedWindowsundefined\System32\Help and then write a file "mscolmon.ocx" to that folder - mscolmon.ocx will contain all of the email addresses found on the system

  • The virus will then use SMTP code to send randomly formatted email messages to recipients in the list from mscolmon.ocx - the subject lines and body text will be varied, and the attachment file name will also be chosen at random from a list

  • The virus infects files which may exist in the shared folder for Kazaa by overwriting the first 54,784 bytes with a copy of its code

  • Infectious files contain the string "54784" in the initial file header

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services