W32/Opaserv.Y!worm
Analysis
Specifics
Virus is 32-bit with a "PEPEC" packed file
size of 47,616 bytes. The virus contains instructions
to spread to other computers using NetBIOS and weak
password settings. Compromised systems may have the
file "speedy.bat" running in memory and installed
to the local system, and may also have periodic connection
attempts to the web site 'www.speed.com'.
Load at Windows Startup
If the virus is run, it will copy itself to the hard
drive into the Windows folder as "speedy.bat"
and modify the registry to load at Windows startup,
as in this example -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Spees2" = C:\Windows\Speedy.bat
An additional file may be created in the Windows folder
named "Podre!!." - this small data file contains
non-readable characters.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |