W32/Sobig.A@mm
Analysis
- Virus is 32bit, with a TELock compressed size of
65,536 bytes
- Virus may copy itself to the Windows folder, then modify the registry to run at Windows startup, as in this example -
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
WindowsMGM = C:\Windows\winmgm32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
WindowsMGM = C:\Windows\winmgm32.exe
- Virus will scavenge the local drive for email addresses
and send a copy of itself to addresses found in varying
email formats, based on a randomly selected subject
line and body text
- The attachment will be one of the following file names -
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif
- Virus will attempt to connect to a hyperlink to
read a data file named "reteral.txt" - the
content of the file is a hyperlink pointing to another
file with a .txt extension on a user account on the
domain "loricoshop.com"
- The file is then downloaded and renamed as "mptask.exe"
and saved to the Windows\System folder - the properties
of the file as set to confuse the user into believing
the file is actually a Microsoft application however
it is not
- Virus then modifies the registry to load the downloaded
file at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Mptask Services = C:\Windows\System\mptask.exe - The downloaded file Mptask.exe is a Trojan also
known as Zasi
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |