Kaspersky Lab, an anti-virus software development company, is warning users of the discovery of a new Internet-worm, Sonic. The worm was discovered actually being transmitted “in the wild” in France and Germany on the morning of 30th October 2000.
The distinctive feature of this malicious program is its ability to update itself (i.e., to automatically download additional component functionality) via the Internet.
The worm consists of two parts — the loader and the main module. Copies of the loader are being distributed across the Internet by e-mail. Once the virus penetrates into the PC’s operating system it then initiates the connection to the hacker’s site on “Geocities”, a popular resource for free home pages.
From here Sonic tries to illegally download the main module and install it on the infected PC. The procedure for downloading the main module has been built in such a way that the worm’s author can define its content. This procedure is performed in the following steps:
- The worm connects to the hacker’s site,
- It downloads the file LASTVERSION.TXT, containing the version number of the worm’s main module available on the site, and
- if the infected computer has no main module installed or the version on the site is higher, then two files are downloaded from the site: nn.ZIP (where ‘nn’ = the number of the current main module’s version) and GATEWAY.ZIP (the latest version of the loader)
The main purpose of the main module is unauthorized data capture, tracking all the users’ activities and gaining remote control over the infected computer (backdoor functionality). Kaspersky Lab believes that the worm author can easily change the main module’s payload, with possibly much more dangerous and destructive content.
After the main module is installed, the worm secretly gains access to the Windows address book (WAB), extracts e-mail addresses available there and sends out infected messages, containing copies of the worm’s loader, to all of the encountered recipients. In the worm’s known versions the infected messages have the following details: Subject: Choose your poison; Attachment: GIRLS.EXE.
“This is not the first case when we have discovered a malicious code with self-updating ability via the Internet. Before ‘Sonic’, the Babylonia virus and the Resume worm had the same capabilities,” said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab – “However this is not something that catches our attention at the moment.
“What is more disturbing is that this feature appears to have become a new standard for malicious programs, since more and more of them can update themselves via the Internet. This is a very dangerous trend as it allows hackers to extend their malware’s abilities in real-time with direct connection to the infected computers”.
Further details on the ‘Sonic’ worm are available at Kaspersky’s Virus Encyclopedia (www.viruslist.com).