Sunday, November 13, 2005


Sonic is a blended threat with the confirmed ability (and desire) to connect to the Internet and download files and updates.
Sonic’s worm component propagates via email messages that have a subject line of “Choose your poison” or “Name your poison” and include an attachment called GIRLS.EXE or LOVERS.EXE. When a user double-clicks (or otherwise executes) the attachment, the initial component of the attachment runs. This component, called the loader, starts itself as a hidden system service, drops a copy of itself (as GDI32.EXE) into the Windows system directory (usually C:\WINDOWS\SYSTEM), and modifies the Windows Registry so that the loader executes each time the users starts Windows.
At this point, the primary component of the attachment attempts to access an anonymous web page every 10 minutes to download the latest versions of the worm and attachment components. Sonic then decrypts the files and saves a new version of GDI32.EXE to the Windows system directory. Finally, the worm propagates by emailing itself to entries in the Outlook address book.
Sonic’s primary component also includes backdoor abilities, which can let a remote party infiltrate and utilize system resources on infected computers.


Post a Comment

<< Home