W32/Yaha.AF!worm

description-logoAnalysis

  • Virus is 32bit with a compressed size of 58,880 bytes
  • Virus may be introduced to the system as an email attachment from an infected computer, or from another infected computer on a network
  • If the virus is run, it will write itself to several locations -

    c:\Documents and Settings\All Users\
    Start Menu\Programs\Startup\MSMGR32.EXE
    c:\Documents and Settings\(every user account)\
    Start Menu\Programs\Startup\MSMGR32.EXE
    c:\WINNT\system32\EXE32.EXE
    c:\WINNT\system32\MSMGR32.EXE

  • The virus will then modify the registry to auto run at Windows startup -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "MsManager" = C:\WINNT\System32\MSMGR32.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "MsManager" = C:\WINNT\System32\MSMGR32.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
    "MsManager" = C:\WINNT\System32\MSMGR32.EXE

  • The virus will modify the registry to run the virus any time certain file types are run -

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*
    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\EXE32.EXE""undefined1"undefined*

    Original value: "undefined1" /S

  • The virus modify and create new HOSTS and LMHOSTS files on the infected system to redirect attempts to reach Microsoft and some Antivirus vendor websites -

    127.0.0.1 www.symantec.com
    127.0.0.1 www.microsoft.com
    127.0.0.1 www.sophos.com
    127.0.0.1 www.avp.ch
    127.0.0.1 www.mcafee.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.pandasoftware.com
    127.0.0.1 www3.ca.com
    127.0.0.1 www.ca.com

  • The virus may attempt to browse the network looking for machines to infect by using imports from MPR.DLL to enumerate systems connected to the network

  • The virus will attempt to scavenge the hard drive and look for email addresses - addresses found are saved into a file named "msmgr32.DLL" into the undefinedWindowsundefined\System32 folder

  • The virus will construct varied emails and send them to contacts found on the infected system

recommended-action-logoRecommended Action

  • Using FortiGate, enable file blocking for .EXE file extensions using IMAP, POP3, and SMTP

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR