W32/Sowsat.C@mm

description-logoAnalysis

  • Virus is 32bit with a varied compressed file size of in excess of 300Kb in a file named TASKMGR32.EXE
  • Virus may co-exist with a file "HookLib.dll" with a file size of 40,448 bytes - this file is identified as W32/Sowsat.C-dll
  • If the virus is run, it will launch a minimized Internet Explorer browser window on the task bar - if the window is maximized, the browser may display a local html form file with Portuguese text
  • Virus may write itself to the local system as two files -

    undefinedWindowsundefined\taskmgr32.exe
    undefinedWindowsundefined\taskmgr32#.exe

    Where # is a number between 0 and 9 such as taskmgr327.exe

  • Virus will modify the registry to load at next Windows Startup as in these examples -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    "ctfmon32" = Java Compiler
    "jto" = 250803213939
    "pcount" = (number of times virus has executed in hex)

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "ctfmon32" = undefinedWindowsundefined\temp\taskmgr32#.exe

    HKEY_CURRENT_USER\Software\WinRAR SFX\
    "cundefinedundefinedwindowsundefinedtempundefined" = undefinedWindowsundefined\temp\

  • Virus contains its own SMTP code and uses it to send emails to contacts found when scanning files of type "*.htm*" on the infected system - the virus may create an email with a spoofed sender address, varied subject and body text and attach itself as "setupc.exe" when sending itself to others - below are the possible email formats the virus is expected to be sent as -

    From: AVP-Team (AVP.Mailer@avp.com)
    Subject: AVP-Virus-Warning
    Body:
    New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends. Thank you, AVP Team
    Attachment: (filename when executed)

    From: Programe-se.br (notice@programese.kit.net)
    Subject: Bom dia !!!
    Body:
    Feliz Aniversßrio !!!
    Attachment: (filename when executed)

    From: Piadeiros da Net (piadeiros@risadinha.com)
    Subject: Piada do Paciente Galo
    Body:
    Um paciente chegou com o psiquiatra e disse: - Doutor, eu sou um galo...
    Attachment: (filename when executed)

    From: jonas.rc@yahoo.com.b
    Subject: Ei, psiu...
    Body:
    Nada. Te peguei...Gosto muito de vocO, viu ? Estou com saudades. De seu amigo, Jonas.
    Attachment: (filename when executed)

  • The virus uses an SMTP server at the web address smtp.ig.com.br in order to send its emails

Telemetry logoTelemetry