W32/Sowsat.A@mm
Analysis
- Virus is 32bit with a compressed file size of 164,864
bytes
- If the virus is run, it will run as a minimized
task visible on the task bar in Windows - maximizing
the task may display simply a red window which exits
when the virus terminates
- Virus may write itself to the local system as two
files -
undefinedWindowsundefined\setupc.exe
undefinedWindowsundefined\sysc#.exeWhere # is a number between 0 and 9 such as sysc7.exe
-
Virus will modify the registry to load at next Windows Startup as in this example -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Cow = undefinedWindowsundefined\sysc7.exe
-
If the virus determines that WinZip32 is installed, it may also modify the registry to run an extraction routine in the event sysc#.exe was deleted, as in this example -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
Cow = (Winzip32 path)\Winzip32.exe -a -r undefinedWindowsundefined\osc8.zip undefinedWindowsundefined\sysc7.exe
-
Virus contains its own SMTP code and uses it to send emails to contacts found when scanning files of type "*.htm*" on the infected system - the virus may create an email with a spoofed sender address, varied subject and body text and attach itself as "setupc.exe" when sending itself to others - below are the possible email formats the virus is expected to be sent as -
From: AVP-Team (AVP.Mailer@avp.com)
Subject: AVP-Virus-Warning
Body:
New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends. Thank you, AVP Team
Attachment: setupc.exeFrom: Crazy Games inc. -New gaming company (Crazygames@crazygamez.com)
Subject: freeware nice game
Body:
hya, chaeck this cool freeware!
Attachment: setupc.exeFrom: Your friend (john@yahoo.com)
Subject: My cool, litle program
Body:
Something I programmed.It's really cool!
Attachment: setupc.exeFrom: Screensaver-Demo coder (Demos@screensave.org)
Subject: Kewl FX screensaver
Body:
A nice FX-screensaver.Better than the last one!
Attachment: setupc.exe
-
The virus uses an SMTP server located at the URL "mail.terrasat.ro" in order to send emails
-
Virus contains these strings in its code -
mIRC-Worm/Chicken by MI_pirat
I-Worm/Cow[Team A] kicks [Team B]'s ass!
I-Worm/Cow v1.0
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |