Classification

Category :

Malware

Type :

Virus

Aliases :

Sharpei, Sharp, Win32.HLLP.Sharp, Blunt

Summary

Sharpei is the first prepending file infector that targets Microsoft .NET architecture. The virus is composed from three different parts written in three different programming languages.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Assembly component

The binary part is a simple dropper that drops the other two and checks for the presence of the .NET environment on the machine. When started it first copies itself to 'C:\MS02-010.exe' then drops the Visual Basic Script mass mailer part to a file called 'Sharp.vbs'. The .NET component is dropped to the Windows directory as 'cs.exe'. If the .NET environment is available the dropper starts the .NET component then exits.

.NET component

When it's started this component first drops a small Visual Basic Script file to the user's startup directory. The script displays the following message at the next login:

The virus infects all EXE files in the system directory and three other directories selected from 'Program Files'. The virus code is prepended to the host file. When the infected file is started it first tries to infect other files then it writes the host program to a temporary file ('temp.exe') and starts it.

Note: Even though .NET is supposed to be platform independent this virus will not work on non-intel PCs since it relies on the Intel binary part.

Visual Basic Script component

The Visual Basic Script component is a simple mass-mailer. It uses MS Outlook application to send messages to each recipient listed in each Outlook address book. The sent messages look as follows:

Subject: "Important: Windows update"
Body: "Hey, at work we are applying this update because it makes
 Windows over 50% faster and more secure. I thought I
 should forward it as you may like it."
Attachment: MS02-010.exe

By using as an attachment the name MS02-010 the worm tries to disguise itself as the patch described on Microsoft site:

https:// www.microsoft.com / TechNet / security / bulletin / MS02-010.asp

After mass-mailing itself, the script mass-mailing component deletes the sent emails and its copy Sharp.VBS from the infected system.

Variant:Sharpei.B

The Visual Basic Script component of this variant is the same as Sharpei.A