W32/Yaha.Q@mm
Analysis
- Virus is 32bit, with a compressed size of 44,544
bytes
- Virus icon resembles that of a TXT file associated
with Notepad
- Virus may search the following list and attempt
to terminate several Antivirus or firewall related
applications, based on a table of names
- Virus may copy itself to the Windows\System folder
as “exeLoader.exe”, and modify the registry
to run this any time an EXE file is run –
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ““C:\Windows\System\exeLoader.exe””undefined1“undefined** original value for above was
(Default) = “undefined1” undefined* -
Virus modifies the registry to run at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Task = C:\Windows\System\wintask32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Task = C:\Windows\System\wintask32.exe -
Virus will create additional keys in the system registry –
HKEY_LOCAL_MACHINE\Software\Microsoft\Snakes\
Author = R0xx
Comments = This system belongs to the great Indians…
Version = 2.01 Beta
Web = http://www.indiansnakes.cjb.net
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZoneCheck\
(Default) = pakistan.gov.pk -
HKEY_LOCAL_MACHINE\Software\Microsoft\WinVer\
(Default) = xbthsn -
Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
-
Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |