W32/Mantibe
Analysis
- Virus is 32bit with a compressed file size of 57,603
bytes and was coded using Visual Basic 6
- Virus relies on the VB Runtime Library file MSVBVM60.DLL
in order to be a threat
- If the virus is run, it may copy itself into the
undefinedWindowsundefined\System folder by the same filename (such
as "beso.jpg.exe") and will then modify
the registry to load at Windows startup as in this
example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Mantis" = C:\Windows\System\beso.jpg.exe
-
The virus may display an image to the desktop with a title of "beso" - the image is of two females embraced in a kiss - the image can be closed without incident
-
After the system becomes infected and the host is restarted, the virus will load from the registry and attempt to copy itself to floppy disks which are used on the infected system - the virus will copy itself as "a:\beso.jpg.exe"
-
The virus may create text files used for temporary storage onto the infected system as -
c:\Ascii.txt
c:\w12.txt
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |