This worm has a "backdoor" that allows a remote user broad access to infected computers. How about an e-mail worm that can automatically upgrade itself with each new infection? The Sonic worm (W32.Sonic.Worm)
hails from Germany, spreads via e-mail, and consists of two parts: a loader and a payload.
If a user clicks on the .EXE attachment, the worm first contacts the Internet, then downloads a newer and potentially
more destructive version of itself.
Within the last few days, there have been several new versions of Sonic released by its author. Sonic does not
yet contain a destructive payload. It currently ranks as a 4 on the ZDNet Virus Meter.
How it works
Sonic, which gets its name from a bit of a code that reads "SonicYouth", arrives in your e-mail InBox
with the following details:
Subject: Choose your poison or Name your poison
Body: none
Attachment: LOVERS.EXE
Clicking on the .EXE attachment executes the loader. Once installed, the worm connects to the Internet to download
several updated payload files from a Web site. The files include:
LASTVERSION.TXT — the latest version of the worm.
*.ZIP—where the asterisk is whatever version is defined by LASTVERSION.TXT. GATEWAY.ZIP—the latest version of the loader files.
The worm inserts itself into the infected computer as GDI32.EXE in the folder Windows\System. Each time Windows
loads, GDI32.EXE executes, contacting the Internet for new intructions.
What is troubling about this worm is that it can continue to connect to the Internet, and not just update itself.
It can find and send user and operating system information, capture passwords, copy/delete/rename/execute files,
as well as crash the system upon command.
All the major anti-virus companies have now updated their signature files to recognize and safely remove Sonic.
Here are the key steps for preventing infection by the Sonic e-mail worm:
Don't open attachments! Since the attachment is a .EXE, the Microsoft Outlook Security Patch won't necessarily
protect you. It's a good idea not to open e-mail attachments, especially when viruses such as Sonic are being actively
circulated. Even if the e-mail is from a known source, be careful. A few viruses take the mailing lists from an
infected computer and send out new messages with its destructive payload attached. Always scan the attached files
first for viruses. Unless it's a file or an image you are expecting, delete it.
Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date
on breaking viruses and solutions by bookmarking our Viruses,
Bugs, Security Alerts page.
Get protected. If you don't already have virus protection software on your machine, you should. If you're
a home or individual user, it's as easy as downloading any of these programs
then following the installation instructions. If you're on a network, check with your network administrator first.
If you're not sure if your existing anti-virus software is up-to-date, scan
your system for free to find out.
Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good
idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often
the anti-virus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will
scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
Update your anti-virus software. Now that you have virus protection software installed, make sure it's
up-to-date. Some anti-virus protection programs have a feature that will automatically link to the Internet and
add new virus detection code whenever the software vendor discovers a new threat. You can also download updates
from ZDNet Updates.com.
To stay up-to-date on the latest virus alerts and solutions, bookmark our Virus
Protection Guide.
