|VIRUS NAME : W32/Sowsat@MM
This email virus sends itself to addresses extracted from .HTM* files in the Windows directory of the victim machine.
The worm is also capable of spreading via IRC, via a dropped SCRIPT.INI file, which is detected as Mirc/Generic with the 4149 DATs or later.
The worm contains its own SMTP engine, and uses a public SMTP server (address hardcoded within the worm) for mailing. It may arrive in an email formatted in a number of ways:
From: Screensaver-Demo coder (DEMOS@SCREENSAVE.ORG)
Subject: Kewl FX screensaver
Body: A nice FX-screensaver.Better than the last one!
From: AVP-Team (AVP.MAILER@AVP.COM)
Body: New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends. Thank you, AVP
From: Your friend (JOHN@YAHOO.COM)
Subject: My cool, litle program
Body: Something I programmed.It's really cool!
From: Crazy Games inc. -New gaming company (Crazygames@crazygamez.com)
Subject: freeware nice game
Body: hya, chaeck this cool freeware!
The worm contains the string:
[Team A] kicks [Team B]'s ass!
existence of the following Registry key
Cow" = Moooo
existence of the Registry keys detailed in the 'Method of Infection' section.
Two identical files named SETUPC.EXE and SYSCn.EXE in the Windows directory, whose size matches that listed above.
existence of the archive OSCn.ZIP in the Windows directory, containing a copy of SYSC3.EXE (where 'n' is a digit 0-9).
Method Of Infection
The worm copies itself to the Windows directory as SETUPC.EXE and SYSCn.EXE (n = digit 0-9), and modifies the Registry to run SYSCn.EXE on subsequent system startup, for example:
\Run "Cow" = C:\WINDOWS\SYSC3.EXE
Upon restarting, the worm mails itself to email addresses extracted from *.HTM* files in the Windows directory (recursive).
The worm checks if WinZip is installed on the victim machine, and, if so, creates a further copy of itself in an archive by setting a Registry key to run WinZip at next startup. The archive, named OSCn.ZIP (n = digit 0-9), is created in the Windows directory.