W32/Sobig.A@mm

description-logoAnalysis

  • Virus is 32bit, with a TELock compressed size of 65,536 bytes
  • Virus may copy itself to the Windows folder, then modify the registry to run at Windows startup, as in this example -

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
WindowsMGM = C:\Windows\winmgm32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
WindowsMGM = C:\Windows\winmgm32.exe

  • Virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • The attachment will be one of the following file names -

Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

  • Virus will attempt to connect to a hyperlink to read a data file named "reteral.txt" - the content of the file is a hyperlink pointing to another file with a .txt extension on a user account on the domain "loricoshop.com"
  • The file is then downloaded and renamed as "mptask.exe" and saved to the Windows\System folder - the properties of the file as set to confuse the user into believing the file is actually a Microsoft application however it is not
  • Virus then modifies the registry to load the downloaded file at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    Mptask Services = C:\Windows\System\mptask.exe

  • The downloaded file Mptask.exe is a Trojan also known as Zasi

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2020-03-04 75.71900 Sig Updated
2019-11-28 73.41400 Sig Added
2018-09-25 62.46700 Sig Updated