Virus

W32/Sober.J@mm

Analysis

This virus is 32-bit, with a UPX packed file size of 43,247 bytes. It was coded using Visual Basic 5, and parts of the code are further encrypted in an effort to avoid detection by string parsing methods.

If virus is executed, it may display a fake error dialogue box like this -

The virus will copy itself as two files to the System32 folder, and register itself to load at Windows startup. The name of the files will be variable depending on a file name table and random concatenation of strings from that table. For example, the file name table contains these strings -

sys, host, dir, expoler, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32

Using the table, the virus could construct file names like these -

syshost.exe
windisc.exe
dircrypt.exe

and so on. The registry will have entries to load the newly created executables.
Mass mailing routine
The virus will harvest emails from the infected system by scanning certain file types and compiling email capture log files. The log files are stored in the System32 folder as "datamx.dam" and "dgsfzipp.gmx".

The virus is selective with the emails that it will use when sending itself to others - it avoids using email addresses which have these strings in the address -

.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ikarus.
@kaspers
@messagelab
@msn
@nai.
@panda
@smtp.
@sophos
@spiegel.
@www
abuse
announce
antivir
anyone
anywhere
bellcore.
bitdefender
-dav
detection
domain.
emsisoft
ewido.
freeav
free-av
ftp.
gold-certs
google
host.
icrosoft.
ipt.aol
law2
linux
mailer-daemon
me@
mozilla
msdn.
mustermann@
nlpmail01.
noreply
nothing
ntp-
ntp@
office
password
postmas
reciver@
redaktion
secure
service
smtp-
somebody
someone
spybot
sql.
subscribe
support
t-dialin
time
t-ipconnect
user@
variabel
verizon.
viren
virus
whatever@
whoever@
winrar
winzip
you@
yourname

The virus will use fuzzy logic to determine if the recipient can receive emails in German text. If the suffix of the email address is any of these -

.de, .ch, .at, .li

the virus will send emails with a body text in German, otherwise the body text is in English.

The file attached to the email message could either be a .ZIP file or a directly executable file with extensions such as .COM, .EXE, .PIF, .SCR or .BAT. The virus stores UUEncoded copies of itself in both ZIP and executable formats on the local system.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Alternatively, this virus can be blocked by FortiGate units by enabling blocking of file attachments with ZIP, .COM, .EXE, .BAT, .PIF or .SCR extensions; using the FortiGate manager, enable blocking of these extensions using SMTP, IMAP or POP3 services