Cambridge, UK, October 30, 2000 - Kaspersky Lab Int., an international anti-virus software-development company, warns users of the discovery of Sonic, a new Internet-worm.
This worm was discovered in France and Germany in the morning on 30 October
A distinctive feature of this malicious program is its ability to update itself
(this means, to automatically download additional functional components) via
The worm consists of two parts: the loader and the main module. Copies of the
loader are spread across the Internet by e-mail. Once this virus enters
into a computer, it penetrates a PC's operating system and initiates a connection
to the hacker's site at "Geocities," a popular resource for free home pages.
From there, Sonic tries to illegally download the main module in order to install
it on the infected PC. The procedure of downloading the main module has been
built in a way so that the worm's author can define its content. This procedure
is performed in the following way:
- The worm connects to the hacker's site and
- downloads the file LASTVERSION.TXT, containing the version number of the
worm's main module available on the site.
- If the infected computer has no main module installed or the version on
the site is higher, then the loader downloads two files from the site: nn.ZIP
(where 'nn' is the number of the current main module's version) and GATEWAY.ZIP
(the latest loader version)
The main purpose of the main module is unauthorised data capture, tracking
all of a user's activities and remotely controlling the infected computer (backdoor).
Kaspersky Lab verifies that the worm's author can easily change the main module's
payload, including those that carry content, which is even more dangerous and
After the main module has been installed, the worm secretly gains access to
the Windows address book (WAB), extracts the e-mail addresses available there,
and sends out infected messages, containing copies of the worm's loader, to
all of the encountered recipients. In the known versions of the worm, the infected
messages have the following details:
Subject: Choose your poison
"This is not the first time we have discovered malicious code capable
of self-updating via the Internet. Before 'Sonic', the Babylonia virus had the
same abilities, as well as the Resume worm and others." Said Denis Zenkin,
Head of Corporate Communications for Kaspersky Lab. "However, this is not
something that catches our attention at the moment. The more disturbing thing
is that this feature seems to have become a new standard for malicious programs,
since more and more of them can self-update themselves via the Internet. This
is a very dangerous trend, as it allows hackers to extend their malware cabilities
in real-time with direct connection to the infected computers."
Further details about the 'Sonic' worm are available at the Kaspersky
Protection against this worm has already been added to the daily update of
AntiViral Toolkit Pro (AVP).
AntiViral Toolkit Pro can be purchased at the Kaspersky
Lab online store.