W32.Sonic.Worm

Printer Friendly Page

Discovered: October 09, 2000
Updated: February 13, 2007 11:50:25 AM
Type: Worm


The W32.Sonic.Worm is an email worm that appears to have originated in France. The worm emails itself to addresses in the Windows address book. Once executed, the worm attempts to download additional files, including commercial .dll files that provide emailing routines and an updated version of the worm.

The worm also creates a back door that allows remote access to the computer.

Antivirus Protection Dates

  • Initial Rapid Release version October 09, 2000
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version October 09, 2000
  • Latest Daily Certified version March 23, 2017 revision 041

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Eric Chien

Discovered: October 09, 2000
Updated: February 13, 2007 11:50:25 AM
Type: Worm


W32.Sonic.Worm is a UPX-packed PE executable that arrives as an email attachment with the subject

Choose your poison

The email does not contain any body text.

When executed, the following occurs:

  1. A message appears indicating that the file is not a valid Win32 executable. This message may be in French or English.
  2. The worm calls RegisterServiceProcess, allowing it to continue running after you log off; it only exits when Windows is shut down.
  3. The worm copies itself to the \Windows\System folder as Gdi32.exe.
  4. It adds itself to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    as:

    GDI32       \Windows\System\GDI32.exe
  5. Every ten minutes, the worm attempts to access an anonymous Web site at

    http://www.geocities.com/olivier1548/

    and attempts to check a text file for the latest version of itself. If successful, the worm then:
    1. Downloads the latest version of itself, which is encrypted.
    2. Unencrypts the file and saves it to the \Windows\System folder as Gdi32.exe.
    3. Repeats the procedure previously described in steps 3 and 4.

      NOTE: Early versions of the worm also downloaded a file named Gateway.zip.
    4. In addition, the worm downloads DLLs necessary for the email routine. These. DLLs are legitimate nonviral DLLs and currently include Emsmtp.dll. These files are legitimate DLLs, and they are not detected by Norton AntiVirus as infected. You may delete them.
  6. The worm then emails itself to addresses in the Microsoft Outlook address book using the default SMTP server. The worm works with Microsoft Outlook, Outlook Express and any other email clients that utilize the Windows address book.

Later variants attempt to email the author. The email account has apparently been closed.

The worm is a backdoor program, which listens on port 1973. New variants also listen on port 19703. The backdoor allows remote access to the computer and may create temporary files such as C:\Mykeys.sys. These files can be deleted.

Remote access includes screen capture, modification of the file system, transferring of files, arbitrary execution, obtaining computer system information, obtaining dial-up networking passwords, and process control. There are variants of this worm, and new variants have been created since the first discovery. Consequently, the subject line of email messages, file names, registry entries, and listening ports may change with future variants. The administrators of Geocities were contacted about the worm, and the Web page has been removed. Because of this, the worm may not work as designed.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Eric Chien

Discovered: October 09, 2000
Updated: February 13, 2007 11:50:25 AM
Type: Worm


To remove this worm, you must do the following:

  • Delete the Gdi32 entry that the worm made in the registry Run key.
  • Delete the Gdi32.exe (or a slight variant) file.
  • Run a full system scan.

For detailed instructions, see the sections that follow.


To delete the GDI32 entry from the registry:

CAUTION : We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. See the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, locate and select the entry

    GDI32 Windows\System\GDI32.exe

    NOTE: This file name may be include a letter after GDI32, for example, GDI32A.exe, or it may be simply GDI.
  5. Write down the file name, and then press Delete. Click Yes to confirm.
  6. In the left pane, click the My Computer key.
  7. Click the Edit menu, and click Find.
  8. In the Find what box, type gdi32.exe and then click Find Next.

    NOTE: If the file name that you wrote down in step 5 included an extra letter, type that file name instead.
  9. If the file is found, then delete any references to this file.
  10. Exit the Registry Editor
  11. Restart the computer.

To enable show all files:
  1. Start Windows Explorer.
  2. Click the View menu (Windows 95/98) or the Tools menu (Windows Me), and click Options or Folder Options.
  3. Click the View tab, and make sure that "Hide file extensions for known file types" is unchecked.
  4. Click Show all files, and then click OK.

To find and delete worm files:
  1. Click Start, point to Find (Windows 95/98/NT) or Search (Windows 200/Me), and click Files or Folders.
  2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
  3. Type gdi32.exe (include the extra letter of the file name if there was one) in the Named box, and then click Find Now.
  4. In the results pane, select the file that was found, press Delete, and then click Yes to confirm.

When finished with the removal, run LiveUpdate to make sure that you have the most recent virus definitions, and then run a full system scan, making sure that Norton AntiVirus is set to scan all files.

Writeup By: Eric Chien