W32.Sowsat.J@mm Discovered on: August 22, 2003
W32.Sowsat.J@mm is a variant of W32.Sowsat@mm, a mass-mailing worm that spreads by using its own SMTP engine and spreads through IRC. The email has a variable subject line and attachment name. The attachment should have a .exe file extension.
The worm is written in Borland Delphi and is packed with UPX.
Type: Worm
Infection Length: 328,192 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, Microsoft IIS, UNIX
Damage
Payload: Sends itself to all the email addresses found, by searching HTML files.
Distribution
Subject of email: Varies
Name of attachment: Varies with .exe file extension
When W32.Sowsat.J@mm runs, it performs the following actions:
Creates the folder, C:\Windows\Temp, if it does not exist.
Copies itself into C:\Windows\Temp with the name Taskmgr32N.exe (where N is a number greater than or equal to zero).
Creates a zip file in C:\Windows\Temp with the name M.zip, where M is the number of times the worm has run on the computer.
Creates a folder in C:\Windows\Temp with a 12-digit name, which is a representation of the time at which the worm runs (for example, 070803112255 stands for 11:22:55 on 07 August 2003).
Adds the values:
"cftmon32" = "Java Compiler"
"jto" = "<the name of the folder created in step 4>"
"pcount" = "<the number of times the worm has run>"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows
Adds the value:
"cftmon32"="c:\windows\temp\taskmgrN.exe" (where N has the same value as in step 2).
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Searches for the HTML files containing email addresses and sends itself to those addresses.
Attempts to send the zip file created in step 3 to its creator via SMTP.
Connects to the SMTP server, smtp.uol.com.br, and sends one of the following four email messages:
Message 1:
From: support@symantec.com
Subject: Symantec-Virus-Warning
Message: New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends.
Thank you, Symantec
Attachment: varies
Message 2:
From: piadeiros@risadinha.com.br
Subject: Piada do Paciente Galo
Message: Um paciente chegou com o psiquiatra e disse: - Doutor, eu sou um galo...
Attachment: varies
Message 3:
From: jonas.rc@yahoo.com.br
Subject: Ei, psiu...
Message: Nada. Te peguei...Gosto muito de voc, viu ? Estou com saudades. De seu amigo, Jonas.
Attachment: varies
Message 4:
From: notice@programese.kit.net
Subject: Bom dia !!!
Message: Feliz Aniversrio !!!
Attachment:varies
In August 2003, Symantec Security Response received reports that an individual was sending email, which claims to be sent from Symantec, to get the recipient to download and execute this Worm.
The email has the following characteristics:
From: symantec-bb [symantec-bb@uol.com.br]
Subject: Alerta de Segurança da Symantec
The email may appear as the following:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.