Sonic worm updates itself via the Internet

The Sonic worm (W32.Sonic.Worm), an e-mail worm that hails from Germany, can automatically upgrade itself with each new infection.
Written by Robert Vamosi, Contributor
This worm has a "backdoor" that allows a remote user broad access to infected computers.

How about an e-mail worm that can automatically upgrade itself with each new infection? The Sonic worm (W32.Sonic.Worm) hails from Germany, spreads via e-mail, and consists of two parts: a loader and a payload.

If a user clicks on the .EXE attachment, the worm first contacts the Internet, then downloads a newer and potentially more destructive version of itself.

Within the last few days, there have been several new versions of Sonic released by its author. Sonic does not yet contain a destructive payload. It currently ranks as a 4 on the ZDNet Virus Meter.

How it works
Sonic, which gets its name from a bit of a code that reads "SonicYouth", arrives in your e-mail InBox with the following details:

Subject: Choose your poison or Name your poison
Body: none
Attachment: LOVERS.EXE

Clicking on the .EXE attachment executes the loader. Once installed, the worm connects to the Internet to download several updated payload files from a Web site. The files include:

  • LASTVERSION.TXT — the latest version of the worm.
  • *.ZIP—where the asterisk is whatever version is defined by LASTVERSION.TXT.
  • GATEWAY.ZIP—the latest version of the loader files.

    The worm inserts itself into the infected computer as GDI32.EXE in the folder Windows\System. Each time Windows loads, GDI32.EXE executes, contacting the Internet for new intructions.

    What is troubling about this worm is that it can continue to connect to the Internet, and not just update itself. It can find and send user and operating system information, capture passwords, copy/delete/rename/execute files, as well as crash the system upon command.

    All the major anti-virus companies have now updated their signature files to recognize and safely remove Sonic.

    Here are the key steps for preventing infection by the Sonic e-mail worm:

  • Don't open attachments! Since the attachment is a .EXE, the Microsoft Outlook Security Patch won't necessarily protect you. It's a good idea not to open e-mail attachments, especially when viruses such as Sonic are being actively circulated. Even if the e-mail is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.

  • Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Viruses, Bugs, Security Alerts page.

  • Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these programs then following the installation instructions. If you're on a network, check with your network administrator first. If you're not sure if your existing anti-virus software is up-to-date, scan your system for free to find out.

  • Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the anti-virus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

  • Update your anti-virus software. Now that you have virus protection software installed, make sure it's up-to-date. Some anti-virus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat. You can also download updates from ZDNet Updates.com.

    To stay up-to-date on the latest virus alerts and solutions, bookmark our Virus Protection Guide.

  • Editorial standards