W32/Deborm.Q
Analysis
- Virus is 32bit with a size of 56,320 bytes and
is ASPack compressed
- Virus makes use of the NetBIOS transport protocol,
thus if this protocol is not installed, it is not
a threat for spreading within networks - virus seeks
other systems to infect by scanning IP addresses within
the current IP subnet
- If a target system is found, the virus will attempt
to copy itself to that system into the StartUp folder
within Windows
- Virus will write itself to the local machine if
executed as two files –
C:\Windows\litmus\SVCHOST32.EXE
C:\Windows\System\EXPLORER .EXE <= note there is a space before the period
- Virus will modify the system registry to load at
Windows startup –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
LTM2 = C:\Windows\litmus\SVCHOST32.EXEHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
NAV Live Update = C:\Windows\Start Menu\Programs\StartUp\(Worm filename)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Explorer = Explorer .exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Explorer = Explorer .exe -
The file “SVCHOST32.EXE” acts as a remote access Trojan as does “Explorer .exe”
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |