W32.Sowsat.J@mm is a variant of W32.Sowsat@mm, a mass-mailing worm that spreads by using its own SMTP engine and spreads through IRC. The email has a variable subject line and attachment name. The attachment should have a .exe file extension.

The worm is written in Borland Delphi and is packed with UPX.

Type: Worm
Infection Length: 328,192 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, Microsoft IIS, UNIX

THREAT ASSESSMENT

Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate

Damage

Payload: Sends itself to all the email addresses found, by searching HTML files.
Distribution

Subject of email: Varies
Name of attachment: Varies with .exe file extension

When W32.Sowsat.J@mm runs, it performs the following actions:


Creates the folder, C:\Windows\Temp, if it does not exist.


Copies itself into C:\Windows\Temp with the name Taskmgr32N.exe (where N is a number greater than or equal to zero).


Creates a zip file in C:\Windows\Temp with the name M.zip, where M is the number of times the worm has run on the computer.


Creates a folder in C:\Windows\Temp with a 12-digit name, which is a representation of the time at which the worm runs (for example, 070803112255 stands for 11:22:55 on 07 August 2003).


Adds the values:

"cftmon32" = "Java Compiler"
"jto" = "<the name of the folder created in step 4>"
"pcount" = "<the number of times the worm has run>"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows


Adds the value:

"cftmon32"="c:\windows\temp\taskmgrN.exe" (where N has the same value as in step 2).

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Searches for the HTML files containing email addresses and sends itself to those addresses.


Attempts to send the zip file created in step 3 to its creator via SMTP.


Connects to the SMTP server, smtp.uol.com.br, and sends one of the following four email messages:

Message 1:
From: support@symantec.com
Subject: Symantec-Virus-Warning
Message: New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends.
Thank you, Symantec
Attachment: varies

Message 2:
From: piadeiros@risadinha.com.br
Subject: Piada do Paciente Galo
Message: Um paciente chegou com o psiquiatra e disse: - Doutor, eu sou um galo...
Attachment: varies

Message 3:
From: jonas.rc@yahoo.com.br
Subject: Ei, psiu...
Message: Nada. Te peguei...Gosto muito de voc, viu ? Estou com saudades. De seu amigo, Jonas.
Attachment: varies

Message 4:
From: notice@programese.kit.net
Subject: Bom dia !!!
Message: Feliz Aniversrio !!!
Attachment:varies
For complete details visit:
http://securityresponse.symantec.com...wsat.j@mm.html

Cheers,
BD]Hobbit

P.S.> I will no longer be posting the technical details part of the virus warning section any longer, if you want to view it check out the web page, or if you want me to keep posting the tech dets p.m. me.