Sonic, I_Worm_Sonic, I-Worm.Sonic, Sonic.b


This is multi-component Internet worm infecting Win32 machines and spreading itself in email messages as attached EXE file. The worm has several components and is able to 'upgrade' itself from an Internet Web site.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

There are two principal worm components: Loader and Main component.

The Loader is Windows EXE file about 25K of size (it is compressed by UPX PE EXE files compression utility, being decompressed it gets about 70K of size). When loader is activated on a computer (being run from email attach) it registers itself as a hidden process (service), copies itself to Windows system directory with GDI32.EXE name and registers in auto-run system registry key:

 GDI = WinSystem\GDI32.EXE

where 'WinSystem' is Windows system directory name. As a result the worm Loader then will be executed on each Windows startup. Note that there are standard Windows components in that directory: GDI.EXE and GDI32.DLL. The worm uses GDI32.EXE name to disguise itself in a standard Windows environment.

To hide its activity the worm then displays the fake error message:

The path in the above message may be different.

The worm then activates main procedure that gets and executes the Main component. It contacts GeoCities Website and gets several files from one of accounts there:

LASTVERSION.TXT - a text file with the number of latest worm version
available in there. If there is no new version, the worm

- latest version of worm Main component, "nn" is

 - latest version of worm Loader component.

The nn.ZIP and GATEWAY.ZIP files actually are not archives, but encrypted Windows EXE file. The worm Loader decrypts them, copies to Windows directory and spawns. As a result the Main component is activated on the computer.

The Main worm component is Windows EXE file about 40K of size (it is compressed by UPX PE EXE files compression utility, being decompressed it gets about 120K of size). It is installed to Windows directory with GDI32A.EXE name and is registered in system registry in similar way as described above for virus loader. The main components then depending on some conditions opens Windows Address Book, gets Inet addresses from there and sends infected email messages. In known worm version these messages have:

Subject: Choose your poison
Attached file name: GIRLS.EXE

The B variant of the worm spreads itself a bit differently:

Subject: I'm your poison
Attached file name: LOVERS.EXE

The Main worm component also has backdoor abilities. It can provide a limited access to an infected computer for a remote hacker.