Sonic: Yet Another Self-Updating Internet - Worm Has Been Discovered "in the wild"

29 Oct 2000
Virus News

Cambridge, UK, October 30, 2000 - Kaspersky Lab Int., an international anti-virus software-development company, warns users of the discovery of Sonic, a new Internet-worm. This worm was discovered in France and Germany in the morning on 30 October 2000.

A distinctive feature of this malicious program is its ability to update itself (this means, to automatically download additional functional components) via the Internet.

The worm consists of two parts: the loader and the main module. Copies of the loader are spread across the Internet by e-mail. Once this virus enters into a computer, it penetrates a PC's operating system and initiates a connection to the hacker's site at "Geocities," a popular resource for free home pages.

From there, Sonic tries to illegally download the main module in order to install it on the infected PC. The procedure of downloading the main module has been built in a way so that the worm's author can define its content. This procedure is performed in the following way:

  1. The worm connects to the hacker's site and
  2. downloads the file LASTVERSION.TXT, containing the version number of the worm's main module available on the site.
  3. If the infected computer has no main module installed or the version on the site is higher, then the loader downloads two files from the site: nn.ZIP (where 'nn' is the number of the current main module's version) and GATEWAY.ZIP (the latest loader version)

The main purpose of the main module is unauthorised data capture, tracking all of a user's activities and remotely controlling the infected computer (backdoor). Kaspersky Lab verifies that the worm's author can easily change the main module's payload, including those that carry content, which is even more dangerous and destructive.

After the main module has been installed, the worm secretly gains access to the Windows address book (WAB), extracts the e-mail addresses available there, and sends out infected messages, containing copies of the worm's loader, to all of the encountered recipients. In the known versions of the worm, the infected messages have the following details:

Subject: Choose your poison

Attachment: GIRLS.EXE.

"This is not the first time we have discovered malicious code capable of self-updating via the Internet. Before 'Sonic', the Babylonia virus had the same abilities, as well as the Resume worm and others." Said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "However, this is not something that catches our attention at the moment. The more disturbing thing is that this feature seems to have become a new standard for malicious programs, since more and more of them can self-update themselves via the Internet. This is a very dangerous trend, as it allows hackers to extend their malware cabilities in real-time with direct connection to the infected computers."

Further details about the 'Sonic' worm are available at the Kaspersky Virus Encyclopedia.

Protection against this worm has already been added to the daily update of AntiViral Toolkit Pro (AVP).

AntiViral Toolkit Pro can be purchased at the Kaspersky Lab online store.