W32/Symten.B@mm

description-logoAnalysis

  • Virus is 32bit with a file size of 106,496 bytes
  • Virus was coded using Visual Basic 6 and requires the VB Runtime library file MSVBVM60.DLL in order to run
  • If virus is run, it may write itself to the local system as "c:\_backup.exe"
  • Virus will modify the registry to load at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    "Swf32" = C:\_backup.exe

  • Virus may create an email and send it to all users in the Outlook address book in this format -
    From: (blank)
    Subject: (variable)
    Body:
    Look at this!!! Microsoft svchost Patch:
    Please run a search on your computer for the file name SVCHOST.EXE if this file is found on your system run the update patch provided in the attatchment of this email.
    Regards,
    Adam Voldran
    MSUpdate Devision
    Microsoft Corp.
    Attachment: svchost.exe

  • Virus may replace existing files on the local system with a copy of itself -
    C:\Program Files\NetMeeting\conf.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\Ikernel.exe
    C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe

  • Virus will write itself as several different files on the local system -
    c:\5283952.exe
    c:\6BDD1FC1-810F-11D0-BEC7-08002BE2092F.EXE
    c:\CHANNEL_UKVX(undernet).exe
    c:\elkern_UPS_23913.exe
    c:\HI_KIRSTY.exe
    c:\I_AM_A_WORM_DONT_OPEN_ME_LOL.exe
    c:\INFECT_YOUR_COMPUTER_NOW(hehe).exe
    c:\ITS_A_BOMB.exe
    c:\massive_head_injury.jpg.exe
    c:\MS_UPDATE_(126).exe
    c:\oleaut32.exe
    c:\QuickTimeUpdateHelper.exe
    c:\svchost.exe
    c:\swflash.exe
    c:\SYMTEM_(Writen_by_INDUSTRY).exe
    c:\up(21379123).exe
    c:\WINDOWS_XP.exe
    c:\WINDOWS\5283952.exe
    c:\WINDOWS\6BDD1FC1-810F-11D0-BEC7-08002BE2092F.EXE
    c:\WINDOWS\CHANNEL_UKVX(undernet).exe
    c:\WINDOWS\elkern_UPS_23913.exe
    c:\WINDOWS\HI_KIRSTY.exe
    c:\WINDOWS\I_AM_A_WORM_DONT_OPEN_ME_LOL.exe
    c:\WINDOWS\INFECT_YOUR_COMPUTER_NOW(hehe).exe
    c:\WINDOWS\ITS_A_BOMB.exe
    c:\WINDOWS\massive_head_injury.jpg.exe
    c:\WINDOWS\MS_UPDATE_(126).exe
    c:\WINDOWS\oleaut32.exe
    c:\WINDOWS\QuickTimeUpdateHelper.exe
    c:\WINDOWS\svchost.exe
    c:\WINDOWS\swflash.exe
    c:\WINDOWS\SYMTEM.exe
    c:\WINDOWS\SYMTEM_(Writen_by_INDUSTRY).exe
    c:\WINDOWS\up(21379123).exe
    c:\WINDOWS\WINDOWS_XP.exe
    c:\WINDOWS\All Users\Start Menu\Programs\StartUp\SYMTEM.EXE

  • Virus will write itself as several different very long file names on the local system -
    c:\x86_Microsoft_Windows_CPlusPlusRuntime_6595b64144ccf1df_x-ww_2726e76a.exe
    c:\x86_Microsoft_Windows_Networking_Dxmrtp_6595b64144ccf1df_4868_x-ww_212f7d9e.exe
    c:\x86_Microsoft_Windows_Networking_RtcDll_6595b64144ccf1df_4868_x-ww_b168a28c.exe
    c:\WINDOWS\x86_Microsoft_Windows_CPlusPlusRuntime_6595b64144ccf1df_x-ww_2726e76a.exe
    c:\WINDOWS\x86_Microsoft_Windows_Networking_Dxmrtp_6595b64144ccf1df_4868_x-ww_212f7d9e.exe
    c:\WINDOWS\x86_Microsoft_Windows_Networking_RtcDll_6595b64144ccf1df_4868_x-ww_b168a28c.exe

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR