W32/Sowsat.A@mm

description-logoAnalysis

  • Virus is 32bit with a compressed file size of 164,864 bytes
  • If the virus is run, it will run as a minimized task visible on the task bar in Windows - maximizing the task may display simply a red window which exits when the virus terminates
  • Virus may write itself to the local system as two files -

    undefinedWindowsundefined\setupc.exe
    undefinedWindowsundefined\sysc#.exe

    Where # is a number between 0 and 9 such as sysc7.exe

  • Virus will modify the registry to load at next Windows Startup as in this example -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Cow = undefinedWindowsundefined\sysc7.exe

  • If the virus determines that WinZip32 is installed, it may also modify the registry to run an extraction routine in the event sysc#.exe was deleted, as in this example -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
    Cow = (Winzip32 path)\Winzip32.exe -a -r undefinedWindowsundefined\osc8.zip undefinedWindowsundefined\sysc7.exe

  • Virus contains its own SMTP code and uses it to send emails to contacts found when scanning files of type "*.htm*" on the infected system - the virus may create an email with a spoofed sender address, varied subject and body text and attach itself as "setupc.exe" when sending itself to others - below are the possible email formats the virus is expected to be sent as -

    From: AVP-Team (AVP.Mailer@avp.com)
    Subject: AVP-Virus-Warning
    Body:
    New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends. Thank you, AVP Team
    Attachment: setupc.exe

    From: Crazy Games inc. -New gaming company (Crazygames@crazygamez.com)
    Subject: freeware nice game
    Body:
    hya, chaeck this cool freeware!
    Attachment: setupc.exe

    From: Your friend (john@yahoo.com)
    Subject: My cool, litle program
    Body:
    Something I programmed.It's really cool!
    Attachment: setupc.exe

    From: Screensaver-Demo coder (Demos@screensave.org)
    Subject: Kewl FX screensaver
    Body:
    A nice FX-screensaver.Better than the last one!
    Attachment: setupc.exe

  • The virus uses an SMTP server located at the URL "mail.terrasat.ro" in order to send emails

  • Virus contains these strings in its code -

    mIRC-Worm/Chicken by MI_pirat
    I-Worm/Cow[Team A] kicks [Team B]'s ass!
    I-Worm/Cow v1.0

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR