W32/Yaha.G@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 29,112
bytes
- Virus icon resembles that of a lime-green heart
- Virus may search the following list and attempt
to terminate any name-matching process running in
memory -
_ANTIVIR
ATRACK
AVCONSOL
AVP.EXE
AVP32
AVSYNMGR
CFINET
CFINET32
F-PROT95
FP-WIN
F-STOPW
IAMAPP
ICMON
IOMON98
IRC32
LOCKDOWN2000
LUALL
LUCOMSERVER
MCAFEE
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NISSERV
NISUM
NMAIN
NORTON
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
POP3TRAP
PVIEW95
RESCUE32
SAFEWEB
SCAM32
SYMPROXYSVC
VSHWIN32
VSSTAT
WEBSCANX
WEBTRAP
WINK
ZONEALARM -
Virus may copy itself to the Recycle Bin folder (normally named C:\Recycled) as a random name and modify the registry to run this any time an EXE file is run, as in this example -
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""c:\recycled\kqqr" undefined1 undefined*" -
Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text.
-
Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is opened or previewed in Outlook -
- The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file.
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |