W32/MSInit.B
Analysis
- Virus is 32bit, with a UPX compressed size of 220,672
bytes
- When first executed, virus will copy itself as
"wininit.exe" to the Windows\System folder.
- Virus will modify the registry in order to load
at next Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
bymer.scanner =
C:\Windows\System\wininit.exe -hide -install -
Virus will seek machines which are connected to the network via NetBIOS and attempt to connect to systems which have a full system share available -
- machines found will be targets for the virus,
and the virus will copy itself to that system
and modify the WIN.INI to load the virus at next
Windows startup
- machines found will be targets for the virus,
and the virus will copy itself to that system
and modify the WIN.INI to load the virus at next
Windows startup
- This variant contains the DNETC.EXE Distributed.Net
client application, which is the reason for a noticeable
size difference between variants .A and .B.
- Virus contains these strings -
[parameters]
id=bymer@ukrpost.net[misc]
project-priority=OGR,RC5,CSC,DES[rc5]
fetch-workunit-threshold=64[ogr]
fetch-workunit-threshold=16[triggers]
restart-on-config-file-change=yes
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |