W32/Wukill.A@mm
Analysis
- Virus is 32bit with a bloated file size of 1,208,320
bytes - virus contains 1,181,855 bytes of appended
hex 00
- This virus was coded using Visual Basic 6 and has
a dependency on MSVBVM60.DLL and VB6CHS.DLL (Simplified
Chinese VB6 Runtime)
- If the virus is run, it will copy itself to the
Windows folder as "MSTRAY.EXE" and modify
the registry to load at Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"RavTime" = C:\WINNT\Mstray.exe
- The virus may then attempt to create and send an
email in the following format to all users found in
the Windows address book -
Subject: A Important Message From (username)
Body:
This is a progrom for Ms-Dos from Microsoft,It can help you to study Ms-Dos.
Don 't you want to see ?
Attachment: mshelp.exe
-
The virus contains the strings "wukill Xgtray" in its code
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |