View Full Version : w32.sowsat.j@mm [virus updates]

23-08-03, 15:03
W32.Sowsat.J@mm is a variant of W32.Sowsat@mm, a mass-mailing worm that spreads by using its own SMTP engine and spreads through IRC. The email has a variable subject line and attachment name. The attachment should have a .exe file extension.

The worm is written in Borland Delphi and is packed with UPX.

Now,this is clone

When W32.Sowsat.J@mm runs, it performs the following actions:

Creates the folder, C:\Windows\Temp, if it does not exist.

Copies itself into C:\Windows\Temp with the name Taskmgr32N.exe (where N is a number greater than or equal to zero).

Creates a zip file in C:\Windows\Temp with the name M.zip, where M is the number of times the worm has run on the computer.

Creates a folder in C:\Windows\Temp with a 12-digit name, which is a representation of the time at which the worm runs (for example, 070803112255 stands for 11:22:55 on 07 August 2003).

Adds the values:

"cftmon32" = "Java Compiler"
"jto" = "<the name of the folder created in step 4>"
"pcount" = "<the number of times the worm has run>"

to the registry key:


Adds the value:

"cftmon32"="c:\windows\temp\taskmgrN.exe" (where N has the same value as in step 2).

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

so that the worm runs when you start Windows.

Searches for the HTML files containing email addresses and sends itself to those addresses.

Attempts to send the zip file created in step 3 to its creator via SMTP.

Connects to the SMTP server, smtp.uol.com.br, and sends one of the following four email messages:

Message 1:
From: support@symantec.com
Subject: Symantec-Virus-Warning
Message: New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends.
Thank you, Symantec
Attachment: varies

Message 2:
From: piadeiros@risadinha.com.br
Subject: Piada do Paciente Galo
Message: Um paciente chegou com o psiquiatra e disse: - Doutor, eu sou um galo...
Attachment: varies

Message 3:
From: jonas.rc@yahoo.com.br
Subject: Ei, psiu...
Message: Nada. Te peguei...Gosto muito de voc, viu ? Estou com saudades. De seu amigo, Jonas.
Attachment: varies

Message 4:
From: notice@programese.kit.net
Subject: Bom dia !!!
Message: Feliz Aniversrio !!!

In August 2003, Symantec Security Response received reports that an individual was sending email, which claims to be sent from Symantec, to get the recipient to download and execute this Worm.

The email has the following characteristics:

From: symantec-bb [symantec-bb@uol.com.br]
Subject: Alerta de Seguranša da Symantec

The email may appear as the following:


Removal Instructions...
1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions.
3.Run a full system scan and delete all the files detected as W32.Sowsat.J@mm or W32.Sowsat@mm.
4.Delete the value added to the registry.

More detail about removal.... Virus Removal Info (http://www.tombraiderforums.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=9;t=003986)
Already then....take care...