W32/Deloder.A
Analysis
- Virus is 32 bit and has a compressed size of 745,984
bytes
- When executed, virus searches the network by implementing
instructions across available SMB client protocol,
seeking other client targets which may have shares
on IPC$ (typically Windows 2000/XP), C$ or Admin$
- Virus attempts to gain access to these systems
by attempting to guess passwords using a table of
names to try, in a “brute-force” method
– once virus gains access to the target, it
attempts to copy itself to these target systems as
“dvldr32.exe” into a hard-coded path
- If virus is executed either by its own initiated
process or manually, it will extract other files,
including a non-malicious tool named “PSEXEC.EXE”
and also a remote access Trojan named “INST.EXE”
– these files will be extracted in the same
folder as the virus resides
- The virus may copy additional files into the Windows\Fonts
folder in an effort to conceal itself –
c:\WINNT\Fonts\explorer.exe
c:\WINNT\Fonts\omnithread_rt.dll
c:\WINNT\Fonts\rundll32.exe
c:\WINNT\Fonts\VNCHooks.dll -
Virus may also modify the registry to load at Windows startup –
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
"messnger" = [path]\dvldr32.exe
"Explorer" = Windows\Fonts\explorer.exe
"TaskMan" = Windows\Fonts\rundll32.exe
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |