Virus

W32/Yanz.A@mm

Analysis

This virus is 32-bit, with a UPX packed file size of 68,608 bytes. The virus contains code to copy it to various folders, and send itself to others using SMTP protocol using its own mail routines.
If virus is executed, it may display a dialogue message box similar to this -
HATA
(x) KERNEL HATASI
[OK]
The virus will copy itself to folders that have the string "shar" in their name, and all subfolders within that folder. The virus may copy itself as one or all of these file names -
Sun YanZi.avi.exe
Sun YanZi.mpg.exe
Sun YanZi.mpeg.exe
Sun YanZi - Shen Qi.exe
Sun YanZi - I am not sad.mp3.exe
Sun YanZi - Leave me alone.mp3.exe
Sun YanZi - forever.mp3.exe
Stephan YanZi.Mp3.exe
Sun-YanZi.mp3.exe
The virus also copies itself into the System32 folder as "Yanzi.exe" and "lsasss.exe", and writes a .ZIP file "YanZi.zip" into the Windows folder. The .ZIP file contains a copy of the virus with a .PIF extension.
Next the virus writes additional files to the System32 folder -
sun.sys (93,886 bytes) - UUEncoded copy virus as yanzi.exe
sun_yanzi.sys (94,054 bytes) - UUEncoded copy of YanZi.zip
Loading at Windows startup
The virus will register itself to run at each Windows startup via a registry entry -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Kernel" = C:\WINNT\System32\lsasss.exe (extra data)
In the above example, "(extra data)" is appended strings and have no bearing on the functionality of running the virus at startup.
Mass-mailing routine
The virus will harvest email addresses from the infected system by scanning various files and compiling a list of email addresses found. The virus seeks addresses from files with these extensions -
adb
asp
dbx
doc
html
jsp
rtf
txt
xml
The virus will avoid selecting email addresses which have any of these as a suffix -
@google
@Norman
@Sophos
@Symantec
@kaspersky
@pandasoftware
@microsoft
The virus will then compose an email for each address and reference "Sun Yanzi" in the body of the email message. The virus may use any of these four sentences to construct the body of the email message -
I don't want anything. I want to see Sun YanZi
My Favourite is Sun YanZi.
I want to meet Sun YanZi. I am loving Sun-YanZi Magic.
You must to listen Sun-Yanzi. I am enjoying to listen Sun YanZi.
The email attachment will be either a .ZIP or an executable file with an extension of .CMD, .PIF or .SCR.
Miscellaneous
Yanzi is an Asian pop star - the author of the virus is apparently a fan. The virus uses PSAPI.DLL to itemize two processes, and prevent them from running or terminate them if they are running -
MSCONFIG.EXE
REGEDIT.EXE
These two applications are helpful in identifying programs which may load at Windows startup, among other uses.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option