Sharpei Virus Written In C#

josepha48 points to a CNET article on a new worm written in C# and partly aimed at the .Net framework, excerpting: "On Friday, antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework."

Re:It's NOT a .NET virus!

[rjamestaylor]

• The virus is _NOT_ a .net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.

So, its a .NOT virus...

social engineering

[hiroko]

You've got to love the message in the email:

Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

Re:social engineering

[Shiny+Metal+S.]

This is nothing! Have you heard about the "Don't F***ing Open Me!" Virus?

E-mail inboxes were flooded with messages this morning as a new virus quickly spread around the world. Dubbed "Don't Fucking Open Me" by anti-virus researchers, the infected e-mail follows a similar course to other viruses and replicates by sending itself out to everyone in the infected computer's Outlook and Outlook Express address book. The virus also contains two different payloads: one version formats the hard drive and displays the message "This is for your own good"; the other payload creates random Power Point presentations in the "My Documents" folder.

Savvy users can spot the virus by its subject which is "Don't Fucking Open Me" or by the attachment which is entitled "Don't_Fucking_Open_Me.exe".

"This virus tricks the user with an old psychological tactic called reverse psychology. Apparently the curiosity created by the message has been too much for thousands of users," said anti-virus researcher Bob Atibop. According to Atibop, this isn't the first time reverse psychology has been used. In 1998, the "Don't Pee on Your Keyboard" worm caused a flood of damage.

Researchers have seen large infection among AOL users and middle managers, the two largest concentrations of naive and inept computer users.

Claudia Hawkins who was infected by the virus said, "My son told me not to open attachments, but.... I mean my MOM sent it! What if she was hurt?!?"

Another infected user too embarrassed to reveal his name said, "I thought that there was no way that this could be a virus. What kind of stupid idiot virus writer would put a dumb title on it like that? No one would ever open something that says not to open it. The virus would never spread defeating the whole purpose of it."

Experts advise extreme caution when opening messages entitled "Don't Fucking Open Me" or "Click Here for Cash and Virus Infection".

Not sure I'd call this a .NET virus

[wadetemp]

If the attachment is opened, then the worm uses the Outlook address book to send messages--with a copy of the virus attached--to every address in the book. It then deletes the e-mails from the sent folder and removes the copy of itself.


.NET exe files won't run unless the framework is present. They are "dead" exes that do nothing when double clicked. So the question is... is the bulk mailer part native code or .NET code? Read on...


On PCs loaded with Windows XP and other .Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again.

This *additonal* behavior that affects .NET enabled computers is the part that could possibly be written in C#, and it looks like it's not responsible for any of the bulk emailing... it just runs the native executable portion again, which does the bulk mailing. And by the way, XP is not .NET enabled. I think this is either a hoax or a very misunderstood virus.

Re:Not sure I'd call this a .NET virus

[muffen]

This *additonal* behavior that affects .NET enabled computers is the part that could possibly be written in C#, and it looks like it's not responsible for any of the bulk emailing...

You are correct, this is the only part that is written in .NET compiled down to MSIL. Here's a cut from the Symantec writeup: The replication code of the virus is written in C# and compiled to MSIL...

The emailing routine is done by dropping a VBS file that enumerates the outlook addressbook sending an email to everyone in there.

This is said to be the second virus that infects .NET files. The first one was W32.Donut (even though W32.Donut doesn't actually infect the MSIL part of the executable, but the one containing the normal X86 code).

In my opinion, we still haven't seen the first *true* .NET virus. When there is a virus that infects the MSIL (Microsoft Intermediate Language) code, then I think it qualifies as a .NET virus. All the .NET virus we have seen so far appear to be attempts by viruswriters to get media attention, and as we can see, it worked :-/

Re:It's NOT a .NET virus!

[Masa]

The virus is _NOT_ a .net program, it's NOT running on the .net platform and it's NOT messing around with files from managed code.

Here is a description by F-Secure and it claims that one part of the virus is actually using .NET:

http://www.fsecure.com/v-descs/blunt.shtml

Read the technical details at Symantic

[Carnage4Life]

I just looked at the Symantec write up for W32.HLLP.Sharpei@mm and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.

The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.

Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.

Re:What about Java virii?

[InfoSec]

The problem is that the JRE has a security manager which, unless the user mucks it up, won't allow virii to access the local machine or resources (i.e. address book).

M$ doesn't call Sharpei a worm

[Ilan+Volow]

They prefer the term "a few wrinkles here and there"

Re:What about Java virii?

[jaavaaguru]

The JRE lives in a directory where normal users don't have write permission to. This is definitely the case in UNIX/Linux and our Win NT based machines at home are also set up this way. If someone installs something into a directory that is world writable, then they should be prepared for these kind of things to happen. If an OS insists on putting important things in silly places, then maybe software manufacturers for that OS should make their users aware of this and possible change the permissions on directories after their software has installed? If Windows XP treats users as dumbasses, why should these same users be expected to know anything about securing their system?

Proof of concept?

[Alizarin+Erythrosin]

Seems to me this is more like a proof of concept virus, like that one that was written in Flash a while back, demonstrating the kinds of things that COULD happen should Outlook's holes and bugs not be patched up.

The message body is actually a very misleading one though... I mean, who wouldn't wanna speed up Windows by 50% and make it more secure? We can't get that kind of update, even out of Microsoft!

Worm with a virus payload

[prockcore]

This is actually a win32 worm, with a .net virus payload.

" On PCs loaded with Windows XP and other .Net-enabled computers, however, Sharpei would additionally infect files in four other folders. If those files were opened, the virus would run again."

The .net half is a true virus, and spreads among .net executables.

Re:Another Outlook worm

[gazbo]

Did you read the article? They send an executable file, and ask the recipient to execute it. WTF are Microsoft going to do about that, short of hooking in a virus scanner by default into Outlook that auto-updates behind the user's back every time they connect to the Internet, and refuses to display mails that have a virus?

Oh, and before you say that they *should* do this, firstly think about people who may have a legitimate reason to want to download a virus[1] and secondly, think of the accusations of monopolistic practices - I can't see Norton, McAffee et al taking that without a fight.

Back to the subject, what else can Microsoft do about blatant user stupidity in the face of so much publicity about email viruses over the past year?

[1] I wrote a website that allowed users to upload documents available for public download. Being a community spirited sort of chap I included a server side virus scan, and needed a copy of a virus in order to test it was working. I was sent a copy of I Love You in the end by a friend. See, I really did mean there are legitimate reasons.