VirusX97M/Barisada.AG
Analysis
- Virus hooks Excel event handler of deselecting a
worksheet in order to run its code
- Virus exists in the class code module, normally
named "ThisWorkbook"
- Virus verifies if it has infected the Excel environment
by searching for the file "book.xls" in
the XLStart folder - if the file does not exist, a
new workbook is created and infected, and then saved
as "book.xls" in the XLStart folder
- Virus tests if the date is April 24 and the time
is 2pm - if these conditions are met, the virus will
display a message box asking a yes or no question
-
1st Qusetion
Question : What is the Sword Which Karl Styner(=Gray Scavenger) used?
Answer : Barisada
[Yes] [No]
- If the user selects "No", then the virus
exits the cell deletion code
- If the user selects "Yes" then the virus
will display one additional question with a yes or
no choice, where a selection of "No" will
cause the cell deletion code to execute -
Wrong Answer may cause The Serious Problem!
Summoning Xavier is the Ultimate Magic. Right?
[Yes] [No]
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |