Sharpei is the first prepending file infector that targets
Microsoft .NET architecture. The virus is composed from three
different parts written in three different programming languages.
Assembly component
The binary part is a simple dropper that drops the other two and
checks for the presence of the .NET environment on the machine.
When started it first copies itself to 'C:\MS02-010.exe' then
drops the Visual Basic Script mass mailer part to a file called
'Sharp.vbs'. The .NET component is dropped to the Windows
directory as 'cs.exe'. If the .NET environment is available the
dropper starts the .NET component then exits.
.NET component
When it's started this component first drops a small Visual Basic
Script file to the user's startup directory. The script displays
the following message at the next login:
The virus infects all EXE files in the system directory and three
other directories selected from 'Program Files'. The virus code
is prepended to the host file. When the infected file is started
it first tries to infect other files then it writes the host
program to a temporary file ('temp.exe') and starts it.
Note: Even though .NET is supposed to be platform independent this
virus will not work on non-intel PCs since it relies on the Intel
binary part.
Visual Basic Script component
The Visual Basic Script component is a simple mass-mailer. It
uses MS Outlook application to send messages to each recipient
listed in each Outlook address book. The sent messages look as follows:
Subject: "Important: Windows update"
Body: "Hey, at work we are applying this update because it makes
Windows over 50% faster and more secure. I thought I
should forward it as you may like it."
Attachment: MS02-010.exe
By using as an attachment the name MS02-010 the worm tries to
disguise itself as the patch described on Microsoft site:
