Update W32/SoSmall-A

Analysis of the (possible virus) sample I submitted has started.

Update : Analysis has been completed, it's confirmed as a new virus. Yay, I discovered a new virus... as you can see, it's quite important that even if you have an AV solution to stay alert and think for yourself. Here's the information as provided by the techies at Sophos :

Description:

W32/SoSmall-A is an internet worm which spreads by emailing itself to addresses found within files on the local hard drive that have extensions of DBX, EML, IMM, IMH, MSG or V03.

The subject of the email is randomly selected from:

"Is this the Smallest C++ MassMailer????"
"I don't understand"
"I can't recall what happened but"
"SoBig SoSmall"
"Virus Alert: [email protected]"
"Shit happens"
"Happy Birthday"

the message text is selected from:

"Is this what where all about?"
"MessageLabs are the first to report of the new Nodoom Internet Worm
Please install the patch attached in this email to prevent outbreaks"
"Can you recall what happened at the party last friday?
I'm having serious problems, i really should stop smoking!
Maybe the picture files attached will explain it to you..."
"SoSmall, SoCold, SoNice, SoGood, SoWarm.."
"please explain me this attachment, it confused me.."
"Here are the files you asked for, cheers"

and the attachment filename is Setup.zip.

The "From:" field contains an email addresses randomly chosen from those
found on the local computer.

The worm attempts to exploit a known vulnerability in Microsoft Internet Explorer 5.01/5.5, so that the attachment is run automatically when the email message is opened.

When first run, the worm copies itself to the Windows System folder as ctsls.exe and creates the following registry entry, so that ctsls.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ctsls=SYSTEM%\ctsls.exe

A file named Ynit.tmp is created in the Windows System folder to store a
base64 encoded version of the worm.

Some versions of this worm display a message box with the text "Error", "Start" and when attempting to email themselves display a message box containing the randomly selected subject line and a message box containing the randomly selected message text.

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.04

About this Entry

This page contains a single entry by ServMe published on February 16, 2004 5:37 PM.

Anyone trying to infect me? was the previous entry in this blog.

Weird news facts is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.