1. Tech

Your suggestion is on its way!

An email with a link to:


was emailed to:

Thanks for sharing About.com with others!

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
Also see: Hoax Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center

Related Links

F-Secure description
Threat List

Aliases: I-Worm Sonic
Type: Email worm and Trojan
Systems Affected: Windows 32-bit systems
Payload: Worm contains upgrade ability, thus functionality could vary
ITW: Yes
Description: Sonic travels as an attachment to email messages. If executed, the worm registers itself as a hidden service and copies itself to the Windows\System directory as GDI32.EXE. It also modifies the Run Key in HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run adding the value GDI=path\GDI32.EXE (where path signifies the path to the Windows\System directory). While doing this, the worm displays a message box titled Girls.Exe and displays a message in French, which loosely translates to "this is not a valid Windows application".

The Sonic worm then downloads files from a GeoCities website. These files include LASTVERSION.TXT which describes the latest version available, nn.ZIP descrbing the latest version of the main component (the value nn is obtained from the LASTVERSION.TXT file) and GATEWAY.ZIP which is the latest version of the Loader component. The .ZIP files are actually encrypted Windows EXE files. The Loader portion decrypts them and copies them to the Windows directory. The Main component, which also provides limited backdoor access capabilities, is copied to the Windows directory as GDI32A.EXE and the registry is modified accordingly. The worm then accesses the user's Address Book and sends iself to the addresses listed therein. Two such attachments are described below:

Subject: Choose your poison
which contains the attached filename GIRLS.EXE. and

Subject: I'm your poison
which contains the attached filename LOVERS.EXE

What to look for: Search the registry for the modification described above. Search the Windows\System directory for the file GDI32.EXE and/or GDI32A.EXE (Note that these filenames are very similar to other legitimate files in the Windows\System directory, so search for the exact name).
How to prevent it: Do not open attachments received unexpectedly even if from known senders. Most email worms take advantage of the infected user's address book, and thus email worms are most likely to be received from a known source.

©2016 About.com. All rights reserved.