The following has been derived from information provided by Central Command, F-Secure, and Symantec.

Virus Characteristics

This virus is a proof-of-concept virus that targets .EXE files under the Microsoft .NET architecture. The virus is composed from three different parts written in three different programming languages. The replication code of the virus is written in C# and compiled to MSIL. The virus also mass e-mails itself to all contacts in the Microsoft Outlook address book by using a VBS component.

The virus arrives as an email message with the following characteristics:


Subject: "Important: Windows update"

Body: "Hey, at work we are applying this update because it makes Windows over 50% faster
and more secure. I thought I should forward it as you may like it."

Attachment: "Ms02-010.exe"


Executing "MS02-010.EXE" does the following:

It makes a copy of itself to the root directory as "MS02-010.EXE". It then drops the file "SHARP.VBS", which searches through the Outlook Address Book and sends itself to every address listed. SHARP.VBS then deletes the messages from the system after they have been sent and deletes itself once it is finished. It copies the complete contents of MS02-010.EXE to the front of .NET executables in the PROGRAM FILES and WINDOWS directories.

If MSCOREE.DLL is found in the SYSTEM directory, the virus creates a file named CS.EXE in the WINDOWS directory and executes it. The virus assumes that this library is installed only when the Microsoft .NET Framework is installed. CS.EXE is a .NET executable that is written in C# and runs only in the .NET Framework.

Finally MS02-010.EXE creates the following registry key:

HKLM\Software\
"Sharp= <a string value set to the path MS02-010.EXE was run>"

When an infected executable is run, the virus creates a temporary file such as HOSTCOPY.EXE and TEMP.EXE, which are direct copies of itself. It will look for other local executables to infect and attempt to mail itself out again.

The virus portion also creates another SHARP.VBS file, which contains code to display the following message:

"You're infected with Win32.HLLP.Sharp, written in C#, by Gigabyte/Metaphase"

This file is created in the WINDOWS\STARTUP folder, so it appears when you start Windows.


Payload

Mass Mailer.
The presence of MS02-010.EXE, SHARP.VBS, and/or CS.EXE.


Preventative Measures

Block messages which have the following characteristics at the messaging gateway where possible:

Subject: "Important: Windows update"

Body: "Hey, at work we are applying this update because it makes Windows over 50% faster
and more secure. I thought I should forward it as you may like it."

Attachment: "Ms02-010.exe"


Fixes Available

Network Associates: No information at time of alert.
Symantec: Detected heuristically as Bloodhound.VBS.Worm, as well as definitions from February 27, 2002.
Trend: No informaion at time of alert.