Sharp | |
---|---|
Type | Mass-mailer worm, virus |
Creator | Gigabyte |
Date Discovered | 2002.02.26 |
Place of Origin | Mechelen, Belgium |
Source Language | C#, Assembly |
Platform | MS Windows with .NET |
File Type(s) | .exe |
Infection Length | 12,288 bytes |
Sharp also known as Sharpei or Sharp.A is a proof-of-concept virus and worm, the first written in C# and the second to target the .NET platform. It was created by Belgian hacker Gigabyte and was never released into the wild.
Behavior
The worm arrives in an email with the subject line of "Important: Windows update". The message body is, "Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.". The attachment name is "MS02-010.EXE".
When Sharp is executed, it copies itself to the root of the C: drive as the same name as the attachment. It drops a script file named Sharp.vbs, which mails copies of the worm to every email address in the user's Outlook address book. It deletes all messages in the "Sent" folder that it created.
It checks for the existence of the file mscoree.dll in the system folder to determine if the .NET platform is installed on the system. If this file is found, Sharp creates the file cs.exe, the viral component, in the Windows folder and executes it. This file is a .NET executable written in C#, which will only run on the .NET framework.
The MS02-010.exe file creates the registry key HKEY_LOCAL_MACHINE\Software\Sharp and adds the value "Sharp, @= C:\MS02-010.exe” to it. Cs.exe prepends MS02-010.exe to all .NET executables in the Program Files and Windows folders. It also drops a file named Sharp.vbs (different from the Sharp.vbs that performs the mailing) into the startup folder. This file will display a message box every time the computer starts, informing the user of the infection. When an infected file is run, it runs the MS02-010.exe portion first and then the original file. As it is running it will create a temporary file, with a name such as hostcopy.exe or temp.exe.
Other Facts
The worm/dropper component is actually coded in Assembly. The viral component, cs.exe, is written in C#. While it is the first virus to be written in C#, it is not the first virus to target .NET, as Benny's DotNET virus was the first to target the platform.
Sources
Peter Szor. Symantec.com, W32.HLLP.Sharpei@mm.
James Middleton. Vnunet.com, Female virus writer targets .Net. 2003.03.04