W32/Nimda.L
Analysis
- Virus is 32bit and appends to host files with a
variable size
- Virus uses various exploit and infection methods
in order to infect the potential host
- EXE infection – virus prepends itself
to target files
- Network spreading – virus attempts to
connect to open shares and copy itself to these
locations
- When .DOC files are opened by MS Word, if Riched20.dll
resides in the same folder, it is loaded into
memory – the Riched20.dll file created by
the virus then launches an infectious _setup.exe
- EXE infection – virus prepends itself
to target files
- When first executed, the virus will may write two
files into the Windows\Temp folder and execute one
of them – the files may be named similar to
“mepF050.TMP.exe” – the virus will
also write a WININIT.INI configuration file which
will delete the files written to the Temp folder at
next Windows startup
- Virus will write itself as “_setup.exe”
to the Windows\System folder, then modify the SYSTEM.INI
file to run the virus secondary to loading the shell
Explorer.exe with a parameter “-dontrunold”
- Virus may attempt to infect installed applications
based on applications which may be listed in this
registry key –
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
- Virus may modify the registry to share all local
drives C through Z – after a Windows restart,
the drives would be fully shared – virus then
attempts to copy itself to systems available across
the network
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |