W32.Sowsat.J@mm is a variant of W32.Sowsat@mm, a mass-mailing worm that spreads by using its own SMTP engine and spreads through IRC. The email has a variable subject line and attachment name. The attachment should have a .exe file extension.
The worm is written in Borland Delphi and is packed with UPX.
Type: Worm
Infection Length: 328,192 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, Microsoft IIS, UNIX
THREAT ASSESSMENT
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Damage
Payload: Sends itself to all the email addresses found, by searching HTML files.
Distribution
Subject of email: Varies
Name of attachment: Varies with .exe file extension
When W32.Sowsat.J@mm runs, it performs the following actions:
Creates the folder, C:\Windows\Temp, if it does not exist.
Copies itself into C:\Windows\Temp with the name Taskmgr32N.exe (where N is a number greater than or equal to zero).
Creates a zip file in C:\Windows\Temp with the name M.zip, where M is the number of times the worm has run on the computer.
Creates a folder in C:\Windows\Temp with a 12-digit name, which is a representation of the time at which the worm runs (for example, 070803112255 stands for 11:22:55 on 07 August 2003).
Adds the values:
"cftmon32" = "Java Compiler"
"jto" = "<the name of the folder created in step 4>"
"pcount" = "<the number of times the worm has run>"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows
Adds the value:
"cftmon32"="c:\windows\temp\taskmgrN.exe" (where N has the same value as in step 2).
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Searches for the HTML files containing email addresses and sends itself to those addresses.
Attempts to send the zip file created in step 3 to its creator via SMTP.
Connects to the SMTP server, smtp.uol.com.br, and sends one of the following four email messages:
Message 1:
From:
support@symantec.com
Subject: Symantec-Virus-Warning
Message: New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends.
Thank you, Symantec
Attachment: varies
Message 2:
From:
piadeiros@risadinha.com.br
Subject: Piada do Paciente Galo
Message: Um paciente chegou com o psiquiatra e disse: - Doutor, eu sou um galo...
Attachment: varies
Message 3:
From:
jonas.rc@yahoo.com.br
Subject: Ei, psiu...
Message: Nada. Te peguei...Gosto muito de voc, viu ? Estou com saudades. De seu amigo, Jonas.
Attachment: varies
Message 4:
From:
notice@programese.kit.net
Subject: Bom dia !!!
Message: Feliz Aniversrio !!!
Attachment:varies