W32/Yaha.A@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 20,992
bytes
- Virus may copy itself to the Recycle Bin folder, normally named C:\Recycled, as these file names:
- and modify the registry to run a copy of the virus any time an EXE file is run, as in this example -
- Next, the virus will scavenge the local drive for
email addresses and send a copy of itself to addresses
found in varying email formats, based on a randomly
selected subject line and body text
- Message is structured such that it uses an exploit
which will cause the attachment to launch automatically
when the message is either opened, or previewed in
Outlook - the email message will have an additional
file attachment, typically a file with .HTM extension,
which is a clean and non-infectious file
- Email will be sent in this format -
- Virus may use one of several Asian-based email servers
in order to distribute itself - the server names are
hard-coded into the virus and include countries such
as Korea, Singapore, China and Taiwan
- Virus contains the following text strings -
Happy Valentines Day enjoy!!!!
$ Author : No payloads,then what
Remov:HKCR\exefile\shell\open\command="undefined1" undefined*
Del c:\recycled\msmdm.exe,msscra.exe
hahha very simpile yaa $
MSMDM.EXE
MSSCRA.EXE
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""c:\recycled\msmdm" undefined1 undefined*"
Subject: Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Body:
Hi
Check this screen saver
Happy Valentines day
See u
Attachment: Valentin.scr
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |