Sharp
Sharp
Type Mass-mailer worm, virus
Creator Gigabyte
Date Discovered 2002.02.26
Place of Origin Mechelen, Belgium
Source Language C#, Assembly
Platform MS Windows with .NET
File Type(s) .exe
Infection Length 12,288 bytes

Sharp also known as Sharpei or Sharp.A is a proof-of-concept virus and worm, the first written in C# and the second to target the .NET platform. It was created by Belgian hacker Gigabyte and was never released into the wild.

Behavior

The worm arrives in an email with the subject line of "Important: Windows update". The message body is, "Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.". The attachment name is "MS02-010.EXE".

When Sharp is executed, it copies itself to the root of the C: drive as the same name as the attachment. It drops a script file named Sharp.vbs, which mails copies of the worm to every email address in the user's Outlook address book. It deletes all messages in the "Sent" folder that it created.

It checks for the existence of the file mscoree.dll in the system folder to determine if the .NET platform is installed on the system. If this file is found, Sharp creates the file cs.exe, the viral component, in the Windows folder and executes it. This file is a .NET executable written in C#, which will only run on the .NET framework.

The MS02-010.exe file creates the registry key HKEY_LOCAL_MACHINE\Software\Sharp and adds the value "Sharp, @= C:\MS02-010.exe” to it. Cs.exe prepends MS02-010.exe to all .NET executables in the Program Files and Windows folders. It also drops a file named Sharp.vbs (different from the Sharp.vbs that performs the mailing) into the startup folder. This file will display a message box every time the computer starts, informing the user of the infection. When an infected file is run, it runs the MS02-010.exe portion first and then the original file. As it is running it will create a temporary file, with a name such as hostcopy.exe or temp.exe.

Other Facts

The worm/dropper component is actually coded in Assembly. The viral component, cs.exe, is written in C#. While it is the first virus to be written in C#, it is not the first virus to target .NET, as Benny's DotNET virus was the first to target the platform.

Sources

Peter Szor. Symantec.com, W32.HLLP.Sharpei@mm.

James Middleton. Vnunet.com, Female virus writer targets .Net. 2003.03.04

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License